deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 06:43:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into asr-content-updates

Browse Source
This commit is contained in:
Marty Hernandez Avedon
2020-03-24 10:19:13 -04:00
committed by GitHub
parent b6f8fdff6b 0d297c7e47
commit 4e5ee6dad7
367 changed files with 6315 additions and 6460 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/identity-protection/TOC.md
View File

@ -24,6 +24,7 @@
### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
### [Credential Guard Requirements](credential-guard/credential-guard-requirements.md)
### [Manage Credential Guard](credential-guard/credential-guard-manage.md)
### [Hardware readiness tool](credential-guard/dg-readiness-tool.md)
### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)

37
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -12,7 +12,6 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 03/01/2019
ms.reviewer:
---
@ -25,7 +24,7 @@ ms.reviewer:
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
@ -86,22 +85,24 @@ You can do this by using either the Control Panel or the Deployment Image Servic
```
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
```
> [!NOTE]
> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
NOTE: In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
> [!NOTE]
> [!TIP]
> You can also add these features to an online image by using either DISM or Configuration Manager.
#### Enable virtualization-based security and Windows Defender Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
@ -112,7 +113,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg_readiness_tool.md).
You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool.ps1 -Enable -AutoReboot
@ -135,7 +136,7 @@ You can view System Information to check that Windows Defender Credential Guard
![System Information](images/credguard-msinfo32.png)
You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool_v3.6.ps1 -Ready
@ -152,8 +153,8 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
- The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means its not configured to run.
- The second variable: 0 means its configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it's not configured to run.
- The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
@ -165,9 +166,11 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
3. If you also wish to disable virtualization-based security delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
@ -188,14 +191,18 @@ To disable Windows Defender Credential Guard, you can use the following set of p
```
5. Restart the PC.
6. Accept the prompt to disable Windows Defender Credential Guard.
7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
>
>```
>bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
>bcdedit /set vsmlaunchtype off
>```
> [!NOTE]
> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
@ -206,7 +213,7 @@ For more info on virtualization-based security and Windows Defender Device Guard
#### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot

5
windows/security/identity-protection/credential-guard/dg_readiness_tool.md → windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -12,7 +12,6 @@ ms.author: stsyfuhs
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 09/18/2019
ms.reviewer:
---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
@ -152,8 +151,8 @@ function CheckExemption($_ModName)
}
function CheckFailedDriver($_ModName, $CIStats)
{
function CheckFailedDriver($_ModName, $CIStats)''
{''
Log "Module: " $_ModName.Trim()
if(CheckExemption($_ModName.Trim()) - eq 1)
{

6
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -23,10 +23,8 @@ ms.reviewer:
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
* Azure AD joined device (Cloud and Hybrid deployments)
* Hybrid Azure AD joined (Hybrid deployments)
* Domain Joined (on-premises deployments)
* Windows 10, version 1709
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
* Windows 10, version 1709 or newer
* Bluetooth, Bluetooth capable phone - optional
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.

2
windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
View File

@ -26,7 +26,7 @@ ms.reviewer:
- Key trust
> [!NOTE]
>There was an issue with key trust on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
## How many is adequate

20
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -15,7 +15,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
ms.date: 03/05/2020
---
# Windows Hello biometrics in the enterprise
@ -28,34 +28,36 @@ Windows Hello is the biometric authentication feature that helps strengthen auth
>[!NOTE]
>When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Because we realize your employees are going to want to use this new technology in your enterprise, weve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
## How does Windows Hello work?
Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesnt roam among devices, isnt shared with a server, and cant easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
## Why should I let my employees use Windows Hello?
Windows Hello provides many benefits, including:
- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, its much more difficult to gain access without the employees knowledge.
- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge.
- Employees get a simple authentication method (backed up with a PIN) thats always with them, so theres nothing to lose. No more forgetting passwords!
- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords!
- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
## Where is Windows Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesnt roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still cant be easily converted to a form that could be recognized by the biometric sensor.
The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
## Has Microsoft set any device requirements for Windows Hello?
Weve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
### Fingerprint sensor requirements
To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employees unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required).
To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required).
**Acceptable performance range for small to large size touch sensors**
@ -70,7 +72,7 @@ To allow fingerprint matching, you must have devices with fingerprint sensors an
- Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
### Facial recognition sensors
To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employees facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
- False Accept Rate (FAR): &lt;0.001%

2
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -42,7 +42,7 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
## Deployment and trust models
Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: *Key trust* or *certificate trust*.
Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*.
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.

4
windows/security/identity-protection/hello-for-business/hello-faq.md
View File

@ -50,6 +50,9 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join
## Can I use an external camera when my laptop is closed or docked?
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
## Why does authentication fail immediately after provisioning Hybrid Key Trust?
In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
## What is the password-less strategy?
Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**.
@ -166,4 +169,3 @@ Windows Hello for Business can work with any third-party federation servers that
## Does Windows Hello for Business work with Mac and Linux clients?
Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -285,7 +285,7 @@ A TPM implements controls that meet the specification described by the Trusted C
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations).
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.

7
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -37,7 +37,10 @@ New installations are considerably more involved than existing implementations b
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.
## Active Directory
This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 or later domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
> [!NOTE]
>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal.
@ -93,7 +96,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Highly available certificate revocation list (Azure AD Joined devices).
## Azure Active Directory
Youve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
You've prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.

5
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -41,6 +41,9 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
> [!NOTE]
>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
@ -112,7 +115,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
Hybrid Windows Hello for Business deployments can use Azures Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
### Section Review
> [!div class="checklist"]

5
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
View File

@ -25,7 +25,10 @@ ms.reviewer:
- Key trust
Key trust deployments need an adequate number of 2016 domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
> [!NOTE]
>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.

73
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
View File

@ -64,14 +64,24 @@ Domain controllers automatically request a domain controller certificate (if pub
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprises needs.
**Note**If you use different template names, youll need to remember and substitute these names in different portions of the lab.
> [!NOTE]
> If you use different template names, youll need to remember and substitute these names in different portions of the lab.
6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
### Superseding the existing Domain Controller certificate
@ -81,14 +91,23 @@ Many domain controllers may have an existing domain controller certificate. The
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
4. Click the **Superseded Templates** tab. Click **Add**.
5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
9. Click **OK** and close the **Certificate Templates** console.
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
@ -98,16 +117,28 @@ The certificate template is configured to supersede all the certificate template
Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
**Note:** If you use different template names, youll need to remember and substitute these names in different portions of the lab.
5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
> [!NOTE]
> If you use different template names, youll need to remember and substitute these names in different portions of the lab.
6. On the **Request Handling** tab, select **Allow private key to be exported**.
7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
10. Close the console.
### Unpublish Superseded Certificate Templates
@ -117,10 +148,15 @@ The certificate authority only issues certificates based on published certificat
The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Expand the parent node from the navigation pane.
3. Click **Certificate Templates** in the navigation pane.
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
### Publish Certificate Templates to the Certificate Authority
@ -128,13 +164,20 @@ Sign-in to the certificate authority or management workstation with _Enterprise
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Expand the parent node from the navigation pane.
3. Click **Certificate Templates** in the navigation pane.
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
\* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
7. Close the console.
@ -143,23 +186,37 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
1. Start the **Group Policy Management Console** (gpmc.msc)
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click **Group Policy object** and select **New**
4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**.
5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
8. In the details pane, right-click **Certificate Services Client Auto-Enrollment** and select **Properties**.
9. Select **Enabled** from the **Configuration Model** list.
10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box.
11. Select the **Update certificates that use certificate templates** check box.
12. Click **OK**. Close the **Group Policy Management Editor**.
### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**
1. Start the **Group Policy Management Console** (gpmc.msc).
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**.
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
### Validating your work

11
windows/security/identity-protection/hello-for-business/hello-overview.md
View File

@ -44,19 +44,12 @@ As an administrator in an enterprise or educational organization, you can create
## Biometric sign-in
Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that dont currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users credentials.
Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.
- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesnt roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, theres no single collection point an attacker can compromise to steal biometric data.
## From Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure sign-in method.
Fingerprint scan can be enabled on laptop computers using a built-in fingerprint reader or an external USB fingerprint reader, as follows:
1. Go to **Settings** > **Accounts** > **Sign-in-options** > **Windows Hello Fingerprint** > **Add fingerprint**
2. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration.
3. Windows Biometric data is located in the `C:\Windows\System32\WinBioDatabase\` folder (fingerprint data is stored with the .DAT file name extension).
4. If you are unable to sign in with previously registered fingerprints, delete the entire content of this folder and register your fingerprints again.
Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).
## The difference between Windows Hello and Windows Hello for Business

32
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -23,13 +23,13 @@ ms.reviewer:
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, youll use that information to select the correct deployment guide for your needs.
This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
## Using this guide
There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize theyve already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options youll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
### How to Proceed
@ -80,13 +80,13 @@ The on-premises deployment model is for organizations that do not have cloud ide
> Reset above lock screen - Windows 10, version 1709, Professional</br>
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
Its fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure.
It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure.
#### Trust types
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
@ -99,14 +99,14 @@ All devices included in the Windows Hello for Business deployment must go throug
#### Key registration
The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their users credentials. The private key is protected by the devices security modules; however, the credential is a user key (not a device key). The provisioning experience registers the users public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user's public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
#### Multifactor authentication
> [!IMPORTANT]
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the users weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
> [!NOTE]
@ -156,9 +156,9 @@ Some deployment combinations require an Azure account, and some require Azure Ac
## Planning a Deployment
Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organizations infrastructure.
Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization's infrastructure.
Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, youll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment.
Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you'll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment.
### Deployment Model
@ -170,8 +170,8 @@ If your organization is federated with Azure or uses any online service, such as
If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
> [!NOTE]
> If youre unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.
> ```Get-AdObject CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
> If you're unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.
> ```Get-AdObject "CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
> * If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
> * If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement
> * If the value begins with **azureADName:** write **Hybrid** in box **1a**on your planning worksheet.
@ -209,13 +209,13 @@ If box **1a** on your planning worksheet reads **on-premises**, write **AD FS**
### Directory Synchronization
Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the users phone number to perform multi-factor authentication during provisioning or writing the users public key.
Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multi-factor authentication during provisioning or writing the user's public key.
If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**. User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized.
If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the users credentials remain on the on-premises network.
If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user's credentials remain on the on-premises network.
### Multifactor Authentication
@ -341,6 +341,6 @@ Modern managed devices do not require an Azure AD premium subscription. By forg
If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet. Otherwise, write **No** in box **6c**.
## Congratulations, Youre Done
## Congratulations, You're Done
Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, youll be able to identify key elements of your Windows Hello for Business deployment.
Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.

862
windows/security/threat-protection/TOC.md
View File

@ -2,119 +2,110 @@
## [Overview]()
### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
### [Overview of Microsoft Defender ATP capabilities](microsoft-defender-atp/overview.md)
### [Threat & Vulnerability Management]()
#### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Configuration score](microsoft-defender-atp/configuration-score.md)
#### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Preview features](microsoft-defender-atp/preview.md)
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
## [Deployment strategy](microsoft-defender-atp/deployment-strategy.md)
## [Deployment guide]()
### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
### [Phase 2: Setup](microsoft-defender-atp/production-deployment.md)
### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
### [Attack surface reduction]()
#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
##### [Application isolation]()
###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
#### [Network protection](microsoft-defender-atp/network-protection.md)
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
##### [Web threat protection]()
###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
### [Endpoint detection and response]()
#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
#### [Incidents queue]()
##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
#### [Alerts queue]()
##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
##### [Investigate files](microsoft-defender-atp/investigate-files.md)
##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
#### [Machines list]()
##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
## [Security administration]()
### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
### [Configuration score](microsoft-defender-atp/configuration-score.md)
### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
#### [Take response actions]()
##### [Take response actions on a machine]()
###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
##### [Take response actions on a file]()
###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
##### [Investigate entities using Live response]()
###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Automated investigation and remediation (AIR)]()
#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
## [Security operations]()
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
### [Incidents queue]()
#### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
#### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
#### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
### [Alerts queue]()
#### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
#### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
#### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
#### [Investigate files](microsoft-defender-atp/investigate-files.md)
#### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
#### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
#### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
##### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
#### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
### [Machines list]()
#### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
#### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
### [Take response actions]()
#### [Take response actions on a machine]()
##### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
##### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
##### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
##### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
##### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
##### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
##### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
##### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
##### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
##### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
#### [Take response actions on a file]()
##### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
##### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
##### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
##### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
##### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
##### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
##### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
##### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
##### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
##### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
##### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
### [Investigate entities using Live response]()
#### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
#### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
#### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
#### [Work with query results](microsoft-defender-atp/advanced-hunting-query-results.md)
#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
#### [Advanced hunting schema reference]()
##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
@ -135,254 +126,307 @@
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
### [Reporting]()
#### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
#### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
#### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
### [Custom detections]()
#### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
#### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
## [How-to]()
### [Onboard devices to the service]()
#### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md)
#### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
#### [Onboard Windows 10 machines]()
##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
##### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
##### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
##### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
##### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
#### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md)
#### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
#### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
#### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
#### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
#### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
#### [Troubleshoot onboarding issues]()
##### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
##### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
### [Manage machine configuration]()
#### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md)
#### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
#### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
#### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
### [Manage capabilities]()
#### [Configure attack surface reduction]()
##### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Hardware-based isolation]()
##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
##### [Application isolation]()
###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
###### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Device control]()
###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
###### [Device Guard]()
####### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
####### [Memory integrity]()
######## [Understand memory integrity](device-guard/memory-integrity.md)
######## [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
######## [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Exploit protection]()
###### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
###### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
##### [Network protection](microsoft-defender-atp/enable-network-protection.md)
##### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
##### [Attack surface reduction controls]()
###### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
###### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
#### [Configure next-generation protection]()
##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection]()
###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility]()
###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
##### [Deploy, manage updates, and report on antivirus]()
###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
###### [Report on antivirus protection]()
####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
###### [Manage updates and apply baselines]()
####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
##### [Customize, initiate, and review the results of scans and remediation]()
###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage antivirus in your business]()
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
##### [Manage scans and remediation]()
###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage next-generation protection in your business]()
###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
#### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
##### [What's New](microsoft-defender-atp/mac-whatsnew.md)
##### [Deploy]()
###### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
###### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
###### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
###### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
##### [Update](microsoft-defender-atp/mac-updates.md)
##### [Configure]()
###### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
###### [Set preferences](microsoft-defender-atp/mac-preferences.md)
###### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
##### [Troubleshoot]()
###### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
###### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
###### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
###### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
##### [Privacy](microsoft-defender-atp/mac-privacy.md)
##### [Resources](microsoft-defender-atp/mac-resources.md)
#### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
##### [Deploy]()
###### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
###### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
###### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
##### [Update](microsoft-defender-atp/linux-updates.md)
##### [Configure]()
###### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
###### [Set preferences](microsoft-defender-atp/linux-preferences.md)
##### [Resources](microsoft-defender-atp/linux-resources.md)
#### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
### [Configure portal settings]()
#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
#### [General]()
##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
#### [Permissions]()
##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
#### [APIs]()
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
#### [Rules]()
##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
#### [Machine management]()
##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
### [Configure integration with other Microsoft solutions]()
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
## Reference
### [Capabilities]()
#### [Threat & Vulnerability Management]()
##### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [Attack surface reduction]()
##### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
##### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
##### [Hardware-based isolation]()
###### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation]()
####### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
##### [Network protection](microsoft-defender-atp/network-protection.md)
##### [Web protection]()
###### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
###### [Web threat protection]()
####### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
####### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
#######[Respond to web threats](microsoft-defender-atp/web-protection-response.md)
###### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
##### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
##### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
#### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
##### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
##### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
##### [Shadow protection](windows-defender-antivirus/shadow-protection.md)
#### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)
#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
#### [Custom detections]()
##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
### [Management and APIs]()
#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
### [Integrations]()
#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
#### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
#### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
### [Information protection in Windows overview]()
#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
## [Deployment guide]()
### [Product brief](microsoft-defender-atp/product-brief.md)
### [Prepare deployment](microsoft-defender-atp/prepare-deployment.md)
### [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
### [Production deployment](microsoft-defender-atp/production-deployment.md)
### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
## [Get started]()
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
### [Validate licensing and complete setup](microsoft-defender-atp/licensing.md)
### [Evaluation lab](microsoft-defender-atp/evaluation-lab.md)
### [Preview features](microsoft-defender-atp/preview.md)
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md)
### [Evaluate Microsoft Defender ATP]()
#### [Attack surface reduction and next-generation capability evaluation]()
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
## [Configure and manage capabilities]()
### [Configure attack surface reduction]()
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
### [Hardware-based isolation]()
#### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
#### [Application isolation]()
##### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
#### [Device control]()
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
##### [Device Guard]()
###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
###### [Memory integrity]()
####### [Understand memory integrity](device-guard/memory-integrity.md)
####### [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
####### [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### [Exploit protection]()
##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
##### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
#### [Network protection](microsoft-defender-atp/enable-network-protection.md)
#### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
#### [Attack surface reduction controls]()
##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
### [Configure next-generation protection]()
#### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
##### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
##### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
##### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
##### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
##### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
##### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
#### [Configure behavioral, heuristic, and real-time protection]()
##### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
#### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
#### [Antivirus compatibility]()
##### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
##### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
#### [Deploy, manage updates, and report on antivirus]()
##### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
##### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
###### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
##### [Report on antivirus protection]()
###### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
###### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
##### [Manage updates and apply baselines]()
###### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
###### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
###### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
###### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
###### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
#### [Customize, initiate, and review the results of scans and remediation]()
##### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
##### [Configure and validate exclusions in antivirus scans]()
###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
###### [Configure antivirus exclusions Windows Server 2016 and 2019](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
##### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
##### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
##### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
##### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
#### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
#### [Manage antivirus in your business]()
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
##### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
##### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
##### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
#### [Manage scans and remediation]()
##### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
##### [Configure and validate exclusions in antivirus scans]()
###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
###### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
##### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
#### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
##### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
##### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
##### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
#### [Manage next-generation protection in your business]()
##### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
##### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
##### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
##### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
#### [What's New](microsoft-defender-atp/mac-whatsnew.md)
#### [Deploy]()
##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
#### [Update](microsoft-defender-atp/mac-updates.md)
#### [Configure]()
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
#### [Troubleshoot]()
##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
#### [Privacy](microsoft-defender-atp/mac-privacy.md)
#### [Resources](microsoft-defender-atp/mac-resources.md)
### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
#### [Deploy]()
##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
#### [Update](microsoft-defender-atp/linux-updates.md)
#### [Configure]()
##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
#### [Resources](microsoft-defender-atp/linux-resources.md)
### [Configure Secure score dashboard security controls](microsoft-defender-atp/configuration-score.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
### [Management and API support]()
#### [Onboard devices to the service]()
##### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md)
##### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
##### [Onboard Windows 10 machines]()
###### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
###### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
###### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
###### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
###### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
##### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
##### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md)
##### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
##### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
##### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
##### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
##### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
##### [Troubleshoot onboarding issues]()
###### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
#### [Microsoft Defender ATP API]()
##### [Get started]()
###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
@ -417,7 +461,7 @@
####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
####### [Get security recommendation](microsoft-defender-atp/get-security-recommendations.md)
####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
@ -503,19 +547,12 @@
###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
#### [Windows updates (KB) info]()
##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
#### [Common Vulnerabilities and Exposures (CVE) to KB map]()
##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
#### [Pull detections to your SIEM tools]()
#### [Raw data streaming API]()
##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md)
##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
#### [SIEM integration]()
##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
@ -525,27 +562,13 @@
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Reporting]()
##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
##### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
#### [Partners & APIs]()
##### [Partner applications](microsoft-defender-atp/partner-applications.md)
##### [Connected applications](microsoft-defender-atp/connected-applications.md)
##### [API explorer](microsoft-defender-atp/api-explorer.md)
#### [Manage machine configuration]()
##### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md)
##### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
##### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
##### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
#### [Role-based access control]()
##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
@ -555,47 +578,65 @@
#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
## [Partner integration scenarios]()
### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md)
### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md)
### [Partner integration scenarios]()
#### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
#### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md)
#### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md)
## [Configure Microsoft threat protection integration]()
### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
### [Integrations]()
#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
#### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
#### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
## [Configure portal settings]()
### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
### [General]()
#### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
#### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
#### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
#### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
### [Permissions]()
#### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
#### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
##### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
### [Information protection in Windows overview]()
#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
### [APIs]()
#### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
#### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
### [Evaluate Microsoft Defender ATP]()
#### [Attack surface reduction and next-generation capability evaluation]()
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md)
### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
### [Troubleshoot Microsoft Defender ATP]()
#### [Troubleshoot sensor state]()
##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
##### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines)
##### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines)
##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)
#### [Troubleshoot Microsoft Defender ATP service issues]()
##### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
##### [Check service health](microsoft-defender-atp/service-status.md)
#### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md)
### [Rules]()
#### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
#### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
#### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
#### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
### [Machine management]()
#### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
#### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
#### [Troubleshoot attack surface reduction issues]()
##### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
#### [Troubleshoot next-generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
@ -603,29 +644,6 @@
## [Troubleshoot Microsoft Defender ATP]()
### [Troubleshoot sensor state]()
#### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
#### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
#### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines)
#### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines)
#### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)
### [Troubleshoot Microsoft Defender ATP service issues]()
#### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
#### [Check service health](microsoft-defender-atp/service-status.md)
### [Troubleshoot live response issues]()
#### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
### [Troubleshoot attack surface reduction]()
#### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
#### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
### [Troubleshoot next-generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
## [Security intelligence](intelligence/index.md)
### [Understand malware & other threats](intelligence/understanding-malware.md)
#### [Prevent malware infection](intelligence/prevent-malware-infection.md)

42
windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
View File

@ -22,40 +22,42 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
Central access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS), and they can be monitored just like any other object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than other network objects. However, it is important to monitor these objects for potential changes in security auditing and to verify that policies are being enforced.
This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced.
>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](https://technet.microsoft.com/library/hh846167.aspx).
> [!NOTE]
> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
**To configure settings to monitor changes to central access policy and rule definitions**
**Configure settings to monitor central access policy and rule definition changes**
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**.
4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**.
5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
2. In Server Manager, point to **Tools** and select **Group Policy Management**.
3. In the console tree, right-click the default domain controller Group Policy Object, and then select **Edit**.
4. Double-click **Computer Configuration** and select **Security Settings**. Expand **Advanced Audit Policy Configuration** and **System Audit Policies**, select **DS Access**, and then double-click **Audit directory service changes**.
5. Select the **Configure the following audit events** and **Success** check boxes (and the **Failure** check box, if you want). Then select **OK**.
6. Close the Group Policy Management Editor.
7. Open the Active Directory Administrative Center.
8. Under Dynamic Access Control, right-click **Central Access Policies**, and then select **Properties**.
9. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes.
9. Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab.
10. Select **Add**, add a security auditing setting for the container, and then close all the security properties dialog boxes.
After you configure settings to monitor changes to central access policy and central access rule definitions, verify that the changes are being monitored.
**To verify that changes to central access policy and rule definitions are monitored**
**Verify that central access policy and rule definition changes are monitored**
1. Sign in to your domain controller by using domain administrator credentials.
2. Open the Active Directory Administrative Center.
3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then click **Properties**.
4. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
5. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes.
6. In the **Central Access Policies** container, add a new central access policy (or select one that exists), click **Properties** in the **Tasks** pane, and then change one or more attributes.
7. Click **OK**, and then close the Active Directory Administrative Center.
8. In Server Manager, click **Tools**, and then click **Event Viewer**.
9. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log.
3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then select **Properties**.
4. Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab.
5. Select **Add**, add a security auditing setting for the container, and then close all security properties dialog boxes.
6. In the **Central Access Policies** container, add a new central access policy (or select one that already exists). Select **Properties** in the **Tasks** pane, and then change one or more attributes.
7. Select **OK**, and then close the Active Directory Administrative Center.
8. In Server Manager, select **Tools** and then **Event Viewer**.
9. Expand **Windows Logs**, and then select **Security**. Verify that event 4819 appears in the security log.
### Related resource
### Related topics
- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)

342
windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
View File

@ -1,7 +1,8 @@
---
title: Planning and deploying advanced security audit policies (Windows 10)
description: Learn which options to consider and tasks to complete, to deploy an effective security audit policy in a network that includes advanced security audit policies.
title: Plan and deploy advanced security audit policies (Windows 10)
description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies.
ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
ms.reviewer:
ms.author: dansimp
ms.prod: w10
@ -17,150 +18,153 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
# Planning and deploying advanced security audit policies
# Plan and deploy advanced security audit policies
**Applies to**
- Windows 10
This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit
policies.
This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
Organizations invest a large portion of their information technology budgets on security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them.
Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, the job isn't complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them.
To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements.
To be well-defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In many organizations, it must also provide proof that IT operations comply with corporate and regulatory requirements.
Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an organization as vulnerable as not enough monitoring.
No organization has unlimited resources to monitor every resource and activity on a network. If you don't plan well, you'll likely have gaps in your auditing strategy. But if you try to audit every resource and activity, you may gather too much monitoring data, including thousands of benign audit entries that an analyst will have to sift through to identify the narrow set of entries that warrant closer examination. Such volume could delay or prevent auditors from identifying suspicious activity. Too much monitoring can leave an organization as vulnerable as not enough.
Here are some features that can help you focus your effort:
- **Advanced audit policy settings**. You can apply and manage detailed audit policy settings through Group Policy.
- **"Reason for access" auditing**. You can specify and identify the permissions that were used to generate a particular object access security event.
- **Global object access auditing**. You can define system access control lists (SACLs) for an entire computer file system or registry.
- **Advanced audit policy settings:** You can apply and manage detailed audit policy settings through Group Policy.
- **"Reason for access" auditing:** You can specify and identify the permissions that were used to generate a particular object access security event.
- **Global object access auditing:** You can define system access control lists (SACLs) for an entire computer file system or registry.
To deploy these features and plan an effective security auditing strategy, you need to:
- Identify your most critical resources and the most important activities that need to be tracked.
- Identify the audit settings that can be used to track these activities.
- Identify your most critical resources and the most important activities that you need to track.
- Identify the audit settings that you can use to track these activities.
- Assess the advantages and potential costs associated with each.
- Test these settings to validate your choices.
- Develop plans for deploying and managing your audit policy.
## About this guide
This document will guide you through the steps needed to plan a security auditing policy that uses Windows auditing features. This policy must identify and address vital business needs, including:
This article guides you through the steps to plan a security auditing policy that uses Windows auditing features. The policy must address vital business needs, including:
- Network reliability
- Regulatory requirements
- Protection of the organization's data and intellectual property
- Protection of data and intellectual property
- Users, including employees, contractors, partners, and customers
- Client computers and applications
- Servers and the applications and services running on those servers
The audit policy also must identify processes for managing audit data after it has been logged, including:
The audit policy also must identify processes for managing audit data after it's been logged, including:
- Collecting, evaluating, and reviewing audit data
- Storing and (if required) disposing of audit data
- Collecting, evaluating, and reviewing data
- Storing and (if necessary) disposing of data
By carefully planning, designing, testing, and deploying a solution based on your organization's business requirements, you can provide the standardized functionality, security, and management control that your organization needs.
## Understanding the security audit policy design process
## Understand the security audit policy design process
The process of designing and deploying a Windows security audit policy involves the following tasks, which are described in greater detail throughout this document:
Designing and deploying a Windows security audit policy involves the following tasks, which are described in this document:
- [Identifying your Windows security audit policy deployment goals](#bkmk-1)
- [Identify your Windows security audit policy deployment goals](#bkmk-1)
This section helps define the business objectives that will guide your Windows security audit policy. It also helps you define the resources, users, and computers that will be the focus of your security auditing.
This section helps define the business objectives that will guide your Windows security audit policy. It also helps define the resources, users, and computers that will be the focus of your auditing.
- [Mapping the security audit policy to groups of users, computers, and resources in your organization](#bkmk-2)
- [Map your security audit policy to groups of users, computers, and resources](#bkmk-2)
This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. In addition, if your network includes multiple versions of Windows client and server operating systems, it also explains when to use basic audit policy settings and when to use advanced security audit policy settings.
This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. It also explains when to use basic audit policy settings and when to use advanced security audit policy settings.
- [Mapping your security auditing goals to a security audit policy configuration](#bkmk-3)
- [Map your security auditing goals to a security audit policy configuration](#bkmk-3)
This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings that can be of particular value to address auditing scenarios.
This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings to address auditing scenarios.
- [Planning for security audit monitoring and management](#bkmk-4)
- [Plan for security audit monitoring and management](#bkmk-4)
This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition, this section explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also explains how to address storage requirements, including how much audit data to store and how it must be stored.
This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you audit, your Windows event logs can fill up quickly. This section also explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also covers how to address storage requirements.
- [Deploying the security audit policy](#bkmk-5)
- [Deploy the security audit policy](#bkmk-5)
This section provides recommendations and guidelines for the effective deployment of a Windows security audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you have selected will produce the type of audit data you need. However, only a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU) structure will enable you to confirm that the audit data you generate can be monitored and that it meets your organization's audit needs.
This section provides guidelines for effective deployment of a Windows security audit policy. Deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you've selected will produce the audit data that you need. But only a carefully staged pilot and incremental deployment based on your domain and organizational unit (OU) structure will confirm that the audit data you generate can be monitored and meets your needs.
## <a href="" id="bkmk-1"></a>Identifying your Windows security audit policy deployment goals
## <a href="" id="bkmk-1"></a>Identify your Windows security audit policy deployment goals
A security audit policy must support and be a critical and integrated aspect of an organization's overall security design and framework.
A security audit policy must support and be an integrated aspect of an organization's overall security framework.
Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which assets, resources, and users provide the strongest justification for the focus of a security audit.
Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which provide the strongest justification for the focus of a security audit.
To create your Windows security audit plan, begin by identifying:
- The overall network environment, including the domains, OUs, and security groups.
- The resources on the network, the users of those resources, and how those resources are being used.
- Regulatory requirements.
- The overall network environment, including the domains, OUs, and security groups
- The resources on the network, the users of those resources, and how those resources are used
- Regulatory requirements
### Network environment
An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) later in this document.
An organization's domain and organizational unit (OU) structure provide a fundamental starting point for thinking about how to apply a security audit policy. They likely provide a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. Your domain and OU structure probably already provide logical groups of users, resources, and activities that justify the resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources](#bkmk-2) later in this document.
In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats.
In addition to your domain model, determine whether your organization maintains a systematic threat model. A good threat model can help identify threats to key components in your infrastructure. Then you can apply audit settings that enhance your ability to identify and counter those threats.
>**Important:**  Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.
For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](https://go.microsoft.com/fwlink/p/?LinkId=163432).
> [!IMPORTANT]
> Including auditing in your organization's security plan also helps you budget resources to the areas where auditing can achieve the best results.
### Data and resources
For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of these data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you will be able to manage.
For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of your data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance your existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you can manage.
You can record if these resources have high business impact, medium business impact, or low business impact, the cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different levels of risk to an organization.
You can record if these resources have high, medium, or low business impact; the cost to the organization if these data resources are accessed by unauthorized users; and the risks that such access can pose to the organization. The type of access by users (such as *read*, *modify*, or *copy*) can also pose different levels of risk.
Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information.
Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss of credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information.
The following table provides an example of a resource analysis for an organization.
| Resource class | Where stored | Organizational unit | Business impact | Security or regulatory requirements |
| - | - | - | - | - |
| Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1<br/>Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
| Patient medical records| MedRec-2| Doctors and Nurses: Read/Write on Med/Rec-2<br/>Lab Assistants: Write only on MedRec-2<br/>Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1<br/>Public: Read only on Web-Ext-1| Low| Public education and corporate image|
| Payroll data| Corp-Finance-1| Accounting: Read/write on Corp-Finance-1<br/>Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
| Patient medical records| MedRec-2| Doctors and Nurses: Read/write on Med/Rec-2<br/>Lab Assistants: Write only on MedRec-2<br/>Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/write on Web-Ext-1<br/>Public: Read only on Web-Ext-1| Low| Public education and corporate image|
### Users
Many organizations find it useful to classify the types of users they have and base permissions on this classification. This same classification can help you identify which user activities should be the subject of security auditing and the amount of audit data they will generate.
Many organizations find it useful to classify the types of users they have and then base permissions on this classification. This classification can help you identify which user activities should be the subject of security auditing and the amount of audit data that they'll generate.
Organizations can create distinctions based on the type of rights and permissions needed by users to perform their jobs. For example, under the classification Administrators, larger organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all users in an organization or as few as a subset of the employees in a given department.
Organizations can create distinctions based on the type of rights and permissions that users need to do their jobs. Under the classification *administrators*, for example, large organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under *users*, permissions and Group Policy settings can apply to all users in an organization or as few as a subset of employees in a given department.
Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you are complying with these requirements.
Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you're complying with these requirements.
To effectively audit user activity, begin by listing the different types of users in your organization and the types of data they need access to—in addition to the data they should not have access to.
To effectively audit user activity, begin by listing the different types of users in your organization, the types of data they need access to, and the data they shouldn't have access to.
Also, if external users can access any of your organization's data, be sure to identify them, including if they belong to a business partner, customer, or general user, the data they have access to, and the permissions they have to access that data.
Also, if external users can access your organization's data, be sure to identify them. Determine whether they're a business partner, customer, or general user; the data they have access to; and the permissions they have to access that data.
The following table illustrates an analysis of users on a network. Although our example contains a single column titled "Possible auditing considerations," you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use.
The following table illustrates an analysis of users on a network. Our example contains only a single column titled "Possible auditing considerations," but you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use.
| Groups | Data | Possible auditing considerations |
| - | - | - |
| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
| Members of the Finance OU| Financial records| Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
| External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.|
| Members of the Finance OU| Financial records| Users in Finance have read/write access to critical financial records but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
| External partners | Project Z| Employees of partner organizations have read/write access to certain project data and servers relating to Project Z but not to other servers or data on the network.|
### Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
- If the computers are servers, desktop computers, or portable computers.
- The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager.
- Whether the computers are servers, desktop computers, or portable computers
- The important applications that the computers run, such as Microsoft Exchange Server, SQL Server, or Forefront Identity Manager
>**Note:**  If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx).
> [!NOTE]
> For more information about auditing:
> - In Exchange Server, see [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052).
> - In SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434).
> - In SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx).
- The operating system versions.
- The operating system versions
>**Note:**  The operating system version determines which auditing options are available and the volume of audit event data.
> [!NOTE]
> The operating system version determines which auditing options are available and the volume of audit event data.
- The business value of the data.
- The business value of the data
For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network.
For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public internet or even to regular users on the organization's network.
The following table illustrates an analysis of computers in an organization.
@ -173,137 +177,150 @@ The following table illustrates an analysis of computers in an organization.
### Regulatory requirements
Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations.
Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance.
For more info, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx).
For more information, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx).
## <a href="" id="bkmk-2"></a>Mapping the security audit policy to groups of users, computers, and resources in your organization
## <a href="" id="bkmk-2"></a>Map your security audit policy to groups of users, computers, and resources
By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the
following considerations for using Group Policy to apply security audit policy settings:
By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings:
- The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
- For every policy setting that you select, you need to decide whether it should be enforced across the organization, or whether it should apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers.
- By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite inherited policies.
- Decide whether every policy setting that you select should be enforced across the organization or apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers.
- By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that's linked at a lower level can overwrite inherited policies.
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of additional settings. To do this, you can link a second GPO to that specific lower-level OU. Then, a logon audit setting that's applied at the OU level will override a conflicting logon audit setting that's applied at the domain level, unless you've taken special steps to apply Group Policy loopback processing.
- Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a security group that contains only the users you specify.
- Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to *computer* OUs, not to *user* OUs. But in most cases, you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This functionality enables auditing for a security group that contains only the users you specify.
For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
For example, you could configure a SACL for a folder called *Payroll Data* on Accounting Server 1. You can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. But, because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder will generate audit events.
- Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and can be applied to those operating systems and later. These advanced audit polices can only be applied by using Group Policy.
- Advanced security audit policy settings were introduced in Windows Server 2008 R2 and Windows 7. These advanced audit policies can only be applied to those operating systems and later versions by using Group Policy.
>**Important:**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
> [!IMPORTANT]
> Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy settings under **Local Policies\Audit Policy** and the advanced settings under **Security Settings\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
If you use **Advanced Audit Policy Configuration** settings or logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This configuration will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
The following are examples of how audit policies can be applied to an organization's OU structure:
The following examples show how you can apply audit policies to an organization's OU structure:
- Apply data activity settings to an OU that contains file servers. If your organization has servers that contain particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more precise audit policy to these servers.
- Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs based on the department they work in, consider configuring and applying more detailed security permissions on critical resources that are accessed by employees who work in more sensitive areas, such as network administrators or the legal department.
- Apply data activity settings to an OU that contains file servers. If your organization has servers that contain sensitive data, consider putting them in a separate OU. Then you can configure and apply a more precise audit policy to these servers.
- Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs by department, consider applying more-detailed security permissions on critical resources that are accessed by employees who work in more-sensitive areas, such as network administrators or the legal department.
- Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers.
## <a href="" id="bkmk-3"></a>Mapping your security auditing goals to a security audit policy configuration
## <a href="" id="bkmk-3"></a>Map your security auditing goals to a security audit policy configuration
After you identify your security auditing goals, you can begin to map them to a security audit policy configuration. This audit policy configuration must address your most critical security auditing goals, but it also must address your organization's constraints, such as the number of computers that need to be monitored, the number of activities that you want to audit, the number of audit events that your desired audit configuration will generate, and the number of administrators available to analyze and act upon audit data.
After you identify your security auditing goals, you can map them to a security audit policy configuration. This audit policy configuration must address your security auditing goals. But it also must reflect your organization's constraints, such as the numbers of:
- Computers that need to be monitored
- Activities that you want to audit
- Audit events that your audit configuration will generate
- Administrators available to analyze and act upon audit data
To create your audit policy configuration, you need to:
1. Explore all of the audit policy settings that can be used to address your needs.
2. Choose the audit settings that will most effectively address the audit requirements identified in the previous section.
3. Confirm that the settings you choose are compatible with the operating systems running on the computers that you want to monitor.
4. Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit settings.
5. Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production environment to ensure that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data.
1. Explore all the audit policy settings that can be used to address your needs.
1. Choose the audit settings that will most effectively address the audit requirements there were identified in the previous section.
1. Confirm that the settings that you choose are compatible with the operating systems running on the computers that you want to monitor.
1. Decide which configuration options (*success*, *failure*, or both *success* and *failure*) you want to use for the audit settings.
1. Deploy the audit settings in a lab or test environment to verify that they meet your desired results for volume, supportability, and comprehensiveness. Then, deploy the audit settings in a pilot production environment to check that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data.
### Exploring audit policy options
### Explore audit policy options
Security audit policy settings in the supported versions of Windows can be viewed and configured in the following locations:
You can view and configure security audit policy settings in the supported versions of Windows in the following locations:
- **Security Settings\\Local Policies\\Audit Policy**.
- **Security Settings\\Local Policies\\Security Options**.
- **Security Settings\\Advanced Audit Policy Configuration**. For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
- *Security Settings\\Local Policies\\Audit Policy*
- *Security Settings\\Local Policies\\Security Options*
- *Security Settings\\Advanced Audit Policy Configuration*
For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
### Choosing audit settings to use
### Choose audit settings to use
Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under **Security Settings\\Advanced Audit Policy Configuration** can be used to monitor the following types of activity:
Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under *Security Settings\\Advanced Audit Policy Configuration* can be used to monitor the following types of activity:
- Data and resources
- Users
- Network
>**Important:**  Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network.
> [!IMPORTANT]
> Settings that are described in the reference might also provide valuable information about activity audited by another setting. For example, the settings that you use to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status and potentially for how well you're managing the activities of users on the network.
### Data and resource activity
For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be
protected against any breach, the following settings can provide extremely valuable monitoring and forensic data:
Compromise to an organization's data resources can cause tremendous financial losses, lost prestige, and legal liability. If your organization has critical data resources that must be protected, the following settings can provide valuable monitoring and forensic data:
- Object Access\\[Audit File Share](audit-file-share.md). This policy setting allows you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated by this setting will vary depending on the number of client computers that attempt to access the file share. On a file server or domain controller, volume may be high due to SYSVOL access by client computers for policy processing. If you do not need to record routine access by client computers that have permissions on the file share, you may want to log audit events only for failed attempts to access the file share.
- Object Access\\[Audit File System](audit-file-system.md). This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects (such as files and folders) that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and the account that is making the request match the settings in the SACL.
- **Object Access\\[Audit File Share](audit-file-share.md)**: This policy setting enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated with this setting will vary depending on the number of client computers that try to access the file share. On a file server or domain controller, volume may be high because of SYSVOL access by client computers for policy processing. If you don't need to record routine access by client computers on the file share, you may want to log audit events only for failed attempts to access the file share.
- **Object Access\\[Audit File System](audit-file-system.md)**: This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects, such as files and folders, that have configured SACLs, and only if the type of access requested (such as *write*, *read*, or *modify*) and the account that's making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that have been configured to be monitored.
If *success* auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If *failure* auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that you configured to be monitored.
>**Note:**  To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
> [!NOTE]
> To audit user attempts to access all file system objects on a computer, use the *Global Object Access Auditing* settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL.
- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes.
Event volume can be high, depending on how the SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy setting, the **Audit Handle Manipulation** policy setting can provide useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a *read-only* resource but a user tries to save changes to the file, the audit event will log the event *and* the permissions that were used (or attempted to be used) to save the file changes.
- **Global Object Access Auditing**: Many organizations use security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system. These settings can't be overridden or circumvented.
- **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented.
>**Important:**  The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
> [!IMPORTANT]
> The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
### User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network, and the settings in this section focus on the users, including employees, partners, and customers, who may try to access those resources.
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers.
In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate activities. The following are a few important settings that you should evaluate to track user activity on your network:
In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate reason to access. You can use security auditing to track a variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following are important settings that you should evaluate to track user activity on your network:
- Account Logon\\[Audit Credential Validation](audit-credential-validation.md). This is an extremely important policy setting because it enables you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will eventually be successful. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
- Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md). These policy settings can enable you to monitor the applications that a user opens and closes on a computer.
- DS Access\\[Audit Directory Service Access](audit-directory-service-access.md) and DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md). These policy settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although domain administrators should be among an organization's most trusted employees, the use of **Audit Directory Service Access** and **Audit Directory Service Changes** settings allow you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers.
- Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md). Another common security scenario occurs when a user attempts to log on with an account that has been locked out. It is important to identify these events and to determine whether the attempt to use an account that has been locked out is malicious.
- Logon/Logoff\\[Audit Logoff](audit-logoff.md) and Logon/Logoff\\[Audit Logon](audit-logon.md). Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated.
- **Account Logon\\[Audit Credential Validation](audit-credential-validation.md)**: This setting enables you to track all successful and unsuccessful logon attempts. A pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid. Or the user or app is trying to use a variety of credentials in succession in hope that one of these attempts will eventually succeed. These events occur on the computer that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
- **Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md)**: These policy settings enable you to monitor the applications that a user opens and close on a computer.
- **DS Access\\[Audit Directory Service Access](audit-directory-service-access.md)** and **DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md)**: These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these objects. Also, although domain administrators should be among an organization's most trusted employees, the use of the **Audit Directory Service Access** and **Audit Directory Service Changes** settings enable you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers.
- **Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md)**: Another common security scenario occurs when a user attempts to log on with an account that's been locked out. It's important to identify these events and to determine whether the attempt to use an account that was locked out is malicious.
- **Logon/Logoff\\[Audit Logoff](audit-logoff.md)** and **Logon/Logoff\\[Audit Logon](audit-logon.md)**: Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated.
>**Note:**  There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated.
> [!NOTE]
> There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off without a proper logoff and shut down, so a logoff event isn't generated.
- Logon/Logoff\\[Audit Special Logon](audit-special-logon.md). A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It is recommended to track these types of logons. For more information about this feature, see [article 947223](https://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base.
- Object Access\\[Audit Certification Services](audit-certification-services.md). This policy setting allows you to track and monitor a wide variety of activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users are performing or attempting to perform these tasks, and that only authorized or desired tasks are being performed.
- Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md). These policy settings are described in the previous section.
- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting and its role in providing "reason for access" audit data is described in the previous section.
- Object Access\\[Audit Registry](audit-registry.md). Monitoring for changes to the registry is one of the most critical means that an administrator has to ensure malicious users do not make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs, and only if the type of access that is requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
- **Logon/Logoff\\[Audit Special Logon](audit-special-logon.md)**: A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It's recommended to track these types of logons.
- **Object Access\\[Audit Certification Services](audit-certification-services.md)**: This policy setting enables you to monitor activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users do these tasks and only authorized or desirable tasks are done.
- **Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md)**: These policy settings are described in the previous section.
- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting and its role in providing "reason for access" audit data is described in the previous section.
- **Object Access\\[Audit Registry](audit-registry.md)**: Monitoring for changes to the registry is one of the best ways for administrators to ensure that malicious users don't make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs and only if the type of access that's requested, such as *write*, *read*, or *modify*, and the account making the request match the settings in the SACL.
>**Important:**  On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked.
> [!IMPORTANT]
> On critical systems where all attempts to change registry settings should be tracked, you can combine the **Audit Registry** and **Global Object Access Auditing** policy settings to track all attempts to modify registry settings on a computer.
- Object Access\\[Audit SAM](audit-sam.md). The Security Accounts Manager (SAM) is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
- Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md). **Privilege Use** policy settings and audit events allow you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
- **Object Access\\[Audit SAM](audit-sam.md)**: The Security Accounts Manager (SAM) is a database on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
- **Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)**: These policy settings and audit events enable you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
### Network activity
The following network activity policy settings allow you to monitor security-related issues that are not necessarily covered in the data or user activity categories, but that can be equally important for network status and protection.
The following network activity policy settings enable you to monitor security-related issues that aren't necessarily covered in the data or user-activity categories but that can be important for network status and protection.
- **Account Management**. The policy settings in this category can be used to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the user activity and data activity sections.
- Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md). Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting allows you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting allows you to monitor the use of Kerberos service tickets.
- **Account Management**: Use the policy settings in this category to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the [User activity](#user-activity) and [Data and resource activity](#data-and-resource-activity) sections.
- **Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)**: Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting enables you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting enables you to monitor the use of Kerberos service tickets.
>**Note:**  **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed.
>[!NOTE]
>**Account Logon** policy settings apply only to specific domain account activities, regardless of which computer is accessed. **Logon/Logoff** policy settings apply to the computer that hosts the resources that are accessed.
- Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md). This policy setting can be used to track a number of different network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
- **DS Access**. Policy settings in this category allow you to monitor the AD DS role services, which provide account data, validate logons, maintain network access permissions, and provide other services that are critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. In addition, one of the key tasks performed by AD DS is the replication of data between domain controllers.
- Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md), Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md), and Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md). Many networks support large numbers of external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the Internet by enabling network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
- Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md). Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is attempting to circumvent these protections.
- **Policy Change**. These policy settings and events allow you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, any changes or attempts to change these policies can be an important aspect of security management for a network.
- Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md). This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network cannot be detected.
- Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md). This policy setting can be used to monitor a large variety of changes to an organization's IPsec policies.
- Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md). This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
- **Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md)**: This policy setting can be used to track various network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
- **DS Access**: Policy settings in this category enable you to monitor AD DS role services. These services provide account data, validate logons, maintain network access permissions, and provide other functionality that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. One of the key tasks that AD DS performs is replication of data between domain controllers.
- **Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)**, **Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md)**, and **Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)**: Networks often support many external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the internet. It enables network-level peer authentication, data origin authentication, data integrity checks, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
- **Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md)**: Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is trying to circumvent these protections.
- **Policy Change**: These policy settings and events enable you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, monitoring any changes or attempted changes to these policies can be an important aspect of security management for a network.
- **Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md)**: This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network can't be detected.
- **Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)**: This policy setting can be used to monitor a variety of changes to an organization's IPsec policies.
- **Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)**: This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it's protected against network attacks.
### Confirm operating system version compatibility
Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and manage these settings. For more info, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md).
Not all versions of Windows support advanced audit policy settings or the use of Group Policy to manage these settings. For more information, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md).
The audit policy settings under **Local Policies\\Audit Policy** overlap with audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the amount of audit data that is less important to your organization.
The audit policy settings under **Local Policies\\Audit Policy** overlap with the audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories enable you to focus your auditing efforts on critical activities while reducing the amount of audit data that's less important to your organization.
For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events.
For example, **Local Policies\\Audit Policy** contains a single setting called **[Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx)**. When this setting is configured, it generates at least 10 types of audit events.
In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing:
@ -312,49 +329,50 @@ In comparison, the Account Logon category under **Security Settings\\Advanced Au
- Kerberos Service Ticket Operations
- Other Account Logon Events
These settings allow you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible.
These settings enable you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible.
### Success, failure, or both
### *Success*, *failure*, or both
Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the answer will be based on the criticality of the event and the implications of the decision on event volume.
Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails or succeeds or both successes *and* failures. This is an important question. The answer depends on the criticality of the event and the implications of the decision for event volume.
For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an event only when an unsuccessful attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. And in this instance, logging successful attempts to access the server would quickly fill the event log with benign events.
For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only when an *unsuccessful* attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. In this case, logging *successful* attempts to access the server would quickly fill the event log with benign events.
On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every user who accessed the resource.
But if the file share has sensitive information, such as trade secrets, you may want to log every access attempt so that you have an audit trail of every user who tries to access the resource.
## <a href="" id="bkmk-4"></a>Planning for security audit monitoring and management
## <a href="" id="bkmk-4"></a>Plan for security audit monitoring and management
Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be monitored. The number of client computers on the network can easily range into the tens or even hundreds of thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how an administrator will obtain event data to review. Following are some options for obtaining the event data.
Networks may contain hundreds of servers that run critical services or store critical data, all of which need to be monitored. There may be tens or even hundreds of thousands of computers on the network. These numbers may not be an issue if the ratio of servers or client computers per administrator is low. And even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how the administrator will obtain event data to review. Following are some options for obtaining the event data.
- Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the administrator needs to have physical or remote access to the Event Viewer on each client computer or server, and the remote access and firewall settings on each client computer or server need to be configured to enable this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the size of the audit log so that critical information is not deleted if the log reaches its maximum capacity.
- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012, which can be used to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this can make it more difficult to detect clusters of related events that can occur on a single computer.
- Will you keep event data on a local computer until an administrator logs on to review this data? If so, the administrator needs to have physical or remote access to the Event Viewer on each client computer or server. And the remote access and firewall settings on each client computer or server need to be configured to enable this access. You also need to decide how often the administrator can visit each computer, and adjust the size of the audit log so that critical information isn't deleted if the log reaches capacity.
- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Microsoft Operations Manager 2007 and 2012, that you can use to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this method can make it more difficult to detect clusters of related events that can occur on a single computer.
In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what should happen when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and click **Properties**. You can configure the following properties:
In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what happens when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and select **Properties**. You can configure the following properties:
- **Overwrite events as needed (oldest events first)**. This is the default option, which is an acceptable solution in most situations.
- **Archive the log when full, do not overwrite events**. This option can be used when all log data needs to be saved, but it also suggests that you may not be reviewing audit data frequently enough.
- **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached.
- **Overwrite events as needed (oldest events first)**: This is the default option, which is acceptable in most situations.
- **Archive the log when full, do not overwrite events**: This option can be used when all log data needs to be saved. But the scenario suggests that you may not be reviewing audit data frequently enough.
- **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you don't want to lose any audit data, don't want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached.
You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer
You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following location in the GPMC: **Computer
Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include:
- **Maximum Log Size (KB)**. This policy setting specifies the maximum size of the log files. The user interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If this setting is not configured, event logs have a default maximum size of 20 megabytes.
- **Maximum Log Size (KB)**: This policy setting specifies the maximum size of the log files. In the Local Group Policy Editor and Event Viewer, you can enter values as large as 2 TB. If this setting isn't configured, event logs have a default maximum size of 20 megabytes.
- **Log Access**. This policy setting determines which user accounts have access to log files and what usage rights are granted.
- **Retain old events**. This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events.
- **Backup log automatically when full**. This policy setting controls event log behavior when the log file reaches its maximum size and takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it is full. A new file is then started. If you disable or do not configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded and the old events are retained.
- **Log Access**: This policy setting determines which user accounts have access to log files and what usage rights are granted.
- **Retain old events**: This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events aren't written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events.
- **Backup log automatically when full**: This policy setting controls event log behavior when the log file reaches its maximum size. It takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it's full. A new log file is then started. If you disable or don't configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded, and the old events are retained.
In addition, a growing number of organizations are being required to store archived log files for a number of years. You should consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](https://go.microsoft.com/fwlink/p/?LinkId=163435).
Many organizations are now required to store archived log files for a number of years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](https://go.microsoft.com/fwlink/p/?LinkId=163435).
## <a href="" id="bkmk-5"></a>Deploying the security audit policy
## <a href="" id="bkmk-5"></a>Deploy the security audit policy
Before deploying the audit policy in a production environment, it is critical that you determine the effects of the policy settings that you have configured.
The first step in assessing your audit policy deployment is to create a test environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the audit settings you have selected are configured correctly and generate the type of results you intend.
Before deploying the audit policy in a production environment, it's critical that you determine the effects of the policy settings that you've configured.
However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot provide you with accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve:
The first step in assessing your audit policy deployment is to create a test environment in a lab. Use it to simulate the various use scenarios that you identified to confirm that the audit settings you selected are configured correctly and generate the type of results you want.
- A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location.
- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**.
- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings.
However, unless you can run fairly realistic simulations of network usage patterns, a lab setup can't provide accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve:
After you have successfully completed one or more limited deployments, you should confirm that the audit data that is collected is manageable with your management tools and administrators. When you have confirmed that the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until the production deployment is complete.
- A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location
- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**
- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings
After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until production deployment is complete.

20
windows/security/threat-protection/index.md
View File

@ -31,7 +31,7 @@ ms.topic: conceptual
</tr>
<tr>
<td colspan="7">
<a href="#apis"><center><b>Management and APIs</a></b></center></td>
<a href="#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>
</tr>
<tr>
<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
@ -42,9 +42,9 @@ ms.topic: conceptual
<a name="tvm"></a>
**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
@ -74,10 +74,10 @@ The attack surface reduction set of capabilities provide the first line of defen
**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**<br>
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus)
- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
<a name="edr"></a>
@ -97,7 +97,7 @@ Endpoint detection and response capabilities are put in place to detect, investi
<a name="ai"></a>
**[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**<br>
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
@ -116,7 +116,7 @@ Microsoft Defender ATP includes a configuration score to help you dynamically as
<a name="mte"></a>
**[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**<br>
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
- [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md)
- [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md)
@ -124,7 +124,7 @@ Microsoft Defender ATP's new managed threat hunting service provides proactive h
<a name="apis"></a>
**[Management and APIs](microsoft-defender-atp/management-apis.md)**<br>
**[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**<br>
Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
- [Onboarding](microsoft-defender-atp/onboard-configure.md)
- [API and SIEM integration](microsoft-defender-atp/configure-siem.md)
@ -139,7 +139,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
- Office 365 ATP
- Azure ATP
- Azure Security Center
- Skype for Business
- Skype for Business
- Microsoft Cloud App Security
<a name="mtp"></a>

19
windows/security/threat-protection/intelligence/criteria.md
View File

@ -18,11 +18,22 @@ search.appverid: met150
# How Microsoft identifies malware and potentially unwanted applications
Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. When you download, install, and run software, you have access to information and tools to do so safely. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. That information is then compared against criteria described in this article.
Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you are protected against known threats and warned about software that is unknown to us.
You can participate in this process by [submitting software for analysis](submission-guide.md) to ensure undesirable software is covered by our security solutions.
You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)
Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
The next sections provide an overview of the classifications we use for applications and the types of behaviors that lead to that classification.
>[!NOTE]
> New forms of malware and potentially unwanted applications are being developed and distributed rapidly. The following list may not be comprehensive, and Microsoft reserves the right to adjust, expand, and update these without prior notice or announcement.
## Unknown Unrecognized software
No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously being updated and released, it's impossible to have information about every single site and program.
You can think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware, as there is generally a delay from the time new malware is released until it is identified. Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Warnings for unknown software are not blocks, and users can choose to download and run the application normally if they wish to.
Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software.
## Malware
@ -48,7 +59,7 @@ Microsoft classifies most malicious software into one of the following categorie
* **Obfuscator:** A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove.
* **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).

2
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -2,7 +2,7 @@
title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK)
ms.reviewer:
description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis.
keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, next generation protection
keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library

2
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -118,7 +118,7 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab
1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
2. Click **Create a workspace** or use your primary workspace.
2. Click **Create your instance**.
3. Toggle the Integration setting to **On** and click **Save**.

32
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
View File

@ -1,7 +1,7 @@
---
title: Overview of advanced hunting
title: Overview of advanced hunting in Microsoft Defender ATP
description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# Proactively hunt for threats with advanced hunting
@ -39,38 +38,19 @@ You can also go through each of the following steps to ramp up your advanced hun
| Learning goal | Description | Resource |
|--|--|--|
| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) |
| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
## Get help as you write queries
Take advantage of the following functionality to write queries faster:
- **Autosuggest** — as you write queries, advanced hunting provides suggestions.
- **Autosuggest** — as you write queries, advanced hunting provides suggestions from IntelliSense.
- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
## Drilldown from query results
To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity in Microsoft Defender Security Center.
## Tweak your queries from the results
Right-click a value in the result set to quickly enhance your query. You can use the options to:
- Explicitly look for the selected value (`==`)
- Exclude the selected value from the query (`!=`)
- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
![Image of Microsoft Defender ATP advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
## Filter the query results
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
![Image of advanced hunting filter](images/atp-filter-advanced-hunting.png)
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
## Related topics
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -137,6 +137,7 @@ For detailed information about the query language, see [Kusto query language doc
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)

142
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md Normal file
View File

@ -0,0 +1,142 @@
---
title: Work with advanced hunting query results in Microsoft Defender ATP
description: Make the most of the query results returned by advanced hunting in Microsoft Defender ATP
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Work with advanced hunting query results
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
[!INCLUDE [Prerelease information](../../includes/prerelease.md)]
While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
- View results as a table or chart
- Export tables and charts
- Drill down to detailed entity information
- Tweak your queries directly from the results or apply filters
## View query results as a table or chart
By default, advanced hunting displays query results as tabular data. You can also display the same data as a chart. Advanced hunting supports the following views:
| View type | Description |
| -- | -- |
| **Table** | Displays the query results in tabular format |
| **Column chart** | Renders a series of unique items on the x-axis as vertical bars whose heights represent numeric values from another field |
| **Stacked column chart** | Renders a series of unique items on the x-axis as stacked vertical bars whose heights represent numeric values from one or more other fields |
| **Pie chart** | Renders sectional pies representing unique items. The size of each pie represents numeric values from another field. |
| **Donut chart** | Renders sectional arcs representing unique items. The length of each arc represents numeric values from another field. |
| **Line chart** | Plots numeric values for a series of unique items and connects the plotted values |
| **Scatter chart** | Plots numeric values for a series of unique items |
| **Area chart** | Plots numeric values for a series of unique items and fills the sections below the plotted values |
### Construct queries for effective charts
When rendering charts, advanced hunting automatically identifies columns of interest and the numeric values to aggregate. To get meaningful charts, construct your queries to return the specific values you want to see visualized. Here are some sample queries and the resulting charts.
#### Alerts by severity
Use the `summarize` operator to obtain a numeric count of the values you want to chart. The query below uses the `summarize` operator to get the number of alerts by severity.
```kusto
DeviceAlertEvents
| summarize Total = count() by Severity
```
When rendering the results, a column chart displays each severity value as a separate column:
![Image of advanced hunting query results displayed as a column chart](images/advanced-hunting-column-chart.jpg)
*Query results for alerts by severity displayed as a column chart*
#### Alert severity by operating system
You could also use the `summarize` operator to prepare results for charting values from multiple fields. For example, you might want to understand how alert severities are distributed across operating systems (OS).
The query below uses a `join` operator to pull in OS information from the `DeviceInfo` table, and then uses `summarize` to count values in both the `OSPlatform` and `Severity` columns:
```kusto
DeviceAlertEvents
| join DeviceInfo on DeviceId
| summarize Count = count() by OSPlatform, Severity
```
These results are best visualized using a stacked column chart:
![Image of advanced hunting query results displayed as a stacked chart](images/advanced-hunting-stacked-chart.jpg)
*Query results for alerts by OS and severity displayed as a stacked chart*
#### Top ten machine groups with alerts
If you're dealing with a list of values that isnt finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten machine groups with the most alerts, use the query below:
```kusto
DeviceAlertEvents
| join DeviceInfo on DeviceId
| summarize Count = count() by MachineGroup
| top 10 by Count
```
Use the pie chart view to effectively show distribution across the top groups:
![Image of advanced hunting query results displayed as a pie chart](images/advanced-hunting-pie-chart.jpg)
*Pie chart showing distribution of alerts across machine groups*
#### Malware detections over time
Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts detections of an EICAR test file at 30 minute intervals to show spikes in detections of that file:
```kusto
DeviceEvents
| where ActionType == "AntivirusDetection"
| where SHA1 == "3395856ce81f2b7382dee72602f798b642f14140"
| summarize Detections = count() by bin(Timestamp, 30m)
```
The line chart below clearly highlights time periods with more detections of the test malware:
![Image of advanced hunting query results displayed as a line chart](images/advanced-hunting-line-chart.jpg)
*Line chart showing the number of detections of a test malware over time*
## Export tables and charts
After running a query, select **Export** to save the results to local file. Your chosen view determines how the results are exported:
- **Table view** — the query results are exported in tabular form as a Microsoft Excel workbook
- **Any chart** — the query results are exported as a JPEG image of the rendered chart
## Drill down from query results
To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
## Tweak your queries from the results
Right-click a value in the result set to quickly enhance your query. You can use the options to:
- Explicitly look for the selected value (`==`)
- Exclude the selected value from the query (`!=`)
- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
![Image of advanced hunting result set](images/advanced-hunting-results-filter.png)
## Filter the query results
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**.
![Image of advanced hunting filter](images/advanced-hunting-filter.png)
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -55,4 +55,5 @@ Table and column names are also listed within the Microsoft Defender Security Ce
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Learn the query language](advanced-hunting-query-language.md)

28
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -19,12 +19,13 @@ ms.topic: conceptual
# Configuration score
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as Configuration score.
Your Configuration score is visible in the Threat & Vulnerability Management dashboard of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories:
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories:
- Application
- Operating system
@ -48,14 +49,29 @@ The data in the configuration score card is the product of meticulous and ongoin
From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
## Improve your configuration score
## Improve your security configuration
The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on:
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
- **Remediation type** — **Configuration change** or **Software update**
1. From the Configuration score card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md), select **Security controls**. The [**Security recommendations**](tvm-security-recommendation.md) page opens to shows the list of recommendations related to security controls.
See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
![Security controls related security recommendations](images/tvm_security_controls.png)
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
>![Request remediation](images/tvm_request_remediation.png).
You will see a confirmation message that the remediation task has been created.
>![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
4. Save your CSV file.
![Save csv file](images/tvm_save_csv_file.png)
5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
6. Review the machine **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:

28
windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
View File

@ -1,6 +1,6 @@
---
title: Optimize ASR rule deployment and detections
description: Ensure your attack surface reduction (ASR) rules are fully optimized to identify and prevent typical actions taken by malware during the exploitation phase.
description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits.
keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -23,33 +23,31 @@ ms.topic: article
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink).
[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
![Attack surface management card](images/secconmgmt_asr_card.png)<br>
*Attack surface management card*
The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
The *Attack surface management card* is an entry point to tools in Microsoft 365 security center that you can use to:
* Understand how ASR rules are currently deployed in your organization
* Review ASR detections and identify possible incorrect detections
* Analyze the impact of exclusions and generate the list of file paths to exclude
* Understand how ASR rules are currently deployed in your organization.
* Review ASR detections and identify possible incorrect detections.
* Analyze the impact of exclusions and generate the list of file paths to exclude.
Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)<br>
*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center*
> [!NOTE]
> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions).
For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
For more information about ASR rule deployment in Microsoft 365 security center, see [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections).
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
## Related topics
**Related topics**
* [Ensure your machines are configured properly](configure-machines.md)
* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)

14
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -63,14 +63,14 @@ With the query in the query editor, select **Create detection rule** and specify
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
#### Rule frequency
When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations:
When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
- **Every 24 hours** — checks data from the past 30 days
- **Every 12 hours** — checks data from the past 24 hours
- **Every 3 hours** — checks data from the past 6 hours
- **Every hour** — checks data from the past 2 hours
- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days
- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours
- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours
- **Every hour** — runs hourly, checking data from the past 2 hours
Whenever a rule runs, similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
### 3. Specify actions on files or machines.
Your custom detection rule can automatically take actions on files or machines that are returned by the query.
@ -88,7 +88,7 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1`
- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
### 4. Click **Create** to save and turn on the rule.
When saved, the custom detection rule immediately runs. It runs again every 24 hours to check for matches, generate alerts, and take response actions.
After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
## Manage existing custom detection rules
In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.

62
windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Deployment phases
description: Learn how deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service
keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Deployment phases
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
There are three phases in deploying Microsoft Defender ATP:
|Phase | Desription |
|:-------|:-----|
| ![Phase 1: Prepare](images/prepare.png)<br>[Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Microsoft Defender ATP: <br><br>- Stakeholders and sign-off <br> - Environment considerations <br>- Access <br> - Adoption order
| ![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:<br><br>- Validating the licensing <br> - Completing the setup wizard within the portal<br>- Network configuration|
| ![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:<br><br>- Using Microsoft Endpoint Configuration Manager to onboard devices<br>- Configure capabilities
The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP.
There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
## In Scope
The following is in scope for this deployment guide:
- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
capabilities
- Next Generation Protection
- Attack Surface Reduction
- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
capabilities including automatic investigation and remediation
- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
## Out of scope
The following are out of scope of this deployment guide:
- Configuration of third-party solutions that might integrate with Microsoft
Defender ATP
- Penetration testing in production environment

47
windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Plan your Microsoft Defender ATP deployment strategy
description: Select the best Microsoft Defender ATP deployment strategy for your environment
keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Plan your Microsoft Defender ATP deployment strategy
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Microsoft Defender ATP.
You can deploy Microsoft Defender ATP using various management tools. In general the following management tools are supported:
- Group policy
- Microsoft Endpoint Configuration Manager
- Mobile Device Management tools
- Local script
## Microsoft Defender ATP deployment strategy
Depending on your environment, some tools are better suited for certain architectures.
|**Item**|**Description**|
|:-----|:-----|
|[![Thumb image for Microsoft Defender ATP deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li>
## Related topics
- [Deployment phases](deployment-phases.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf Normal file
View File

Binary file not shown.

BIN
windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx Normal file
View File

Binary file not shown.

3
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -23,8 +23,7 @@ ms.topic: article
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-column-chart.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png → windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-filter.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 179 KiB

After

Width:  |  Height:  |  Size: 179 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-line-chart.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 129 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-pie-chart.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG → windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-results-filter.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-stacked-chart.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/configure-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/configure.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.7 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/oboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/onboard-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/onboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.7 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/plan-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/plan.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.6 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/prepare.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.3 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 370 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/setup.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

67
windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
View File

@ -1,6 +1,6 @@
---
title: Information protection in Windows overview
ms.reviewer:
ms.reviewer:
description: Learn about how information protection works in Windows to identify and protect sensitive information
keywords: information, protection, dlp, wip, data, loss, prevention, protect
search.product: eADQiWindows 10XVcnh
@ -13,60 +13,60 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Information protection in Windows overview
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
>[!TIP]
> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
Microsoft Defender ATP applies the following methods to discover, classify, and protect data:
- **Data discovery** - Identify sensitive data on Windows devices at risk
- **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasnt manually classified it.
- **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label
## Data discovery and data classification
Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types.
Sensitivity labels classify and help protect sensitive content.
Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types.
Sensitivity labels classify and help protect sensitive content.
Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
- Default
- Custom
Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type).
When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information.
When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information.
Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
![Image of settings page with Azure Information Protection](images/atp-settings-aip.png)
The reported signals can be viewed on the Azure Information Protection Data discovery dashboard.
The reported signals can be viewed on the Azure Information Protection Data discovery dashboard.
## Azure Information Protection - Data discovery dashboard
This dashboard presents a summarized discovery information of data discovered by bothMicrosoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint.
## Azure Information Protection - Data discovery dashboard
This dashboard presents a summarized discovery information of data discovered by both Microsoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint.
![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png)
Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Microsoft Defender ATP.
Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.
@ -74,47 +74,44 @@ Click on a device to view a list of files observed on this device, with their se
>[!NOTE]
>Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files.
## Log Analytics
## Log Analytics
Data discovery based on Microsoft Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data.
For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip).
For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip).
Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
To view Microsoft Defender ATP data, perform a query that contains:
Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
To view Microsoft Defender ATP data, perform a query that contains:
```
InformationProtectionLogs_CL
| where Workload_s == "Windows Defender"
InformationProtectionLogs_CL
| where Workload_s == "Windows Defender"
```
**Prerequisites:**
- Customers must have a subscription for Azure Information Protection.
- Enable Azure Information Protection integration in Microsoft Defender Security Center:
- Enable Azure Information Protection integration in Microsoft Defender Security Center:
- Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**.
## Data protection
## Data protection
### Endpoint data loss prevention
For data to be protected, they must first be identified through labels.
For data to be protected, they must first be identified through labels.
Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention.
For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices).
When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention.
For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices).
![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png)
Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy.
Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy.
This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
@ -127,10 +124,8 @@ Those information types are evaluated against the auto-labeling policy. If a mat
> [!NOTE]
> Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves.
For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
## Related topics
- [How Windows Information Protection protects files with a sensitivity label](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels)

3
windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
View File

@ -30,6 +30,9 @@ When you investigate an incident, you'll see:
- Incident comments and actions
- Tabs (alerts, machines, investigations, evidence, graph)
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV]
## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).

123
windows/security/threat-protection/microsoft-defender-atp/licensing.md
View File

@ -1,123 +0,0 @@
---
title: Validate licensing provisioning and complete Microsoft Defender ATP set up
description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Microsoft Defender Advanced Threat Protection portal.
keywords: license, licensing, account, set up, validating licensing, windows defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Validate licensing provisioning and complete set up for Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
## Check license state
Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
![Image of Azure Licensing page](images/atp-licensing-azure-portal.png)
1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
- On the screen you will see all the provisioned licenses and their current **Status**.
![Image of billing licenses](images/atp-billing-subscriptions.png)
## Cloud Service Provider validation
To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
1. From the **Partner portal**, click on the **Administer services > Office 365**.
2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.
![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png)
## Access Microsoft Defender Security Center for the first time
When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created.
1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png)
Once the authorization step is completed, the **Welcome** screen will be displayed.
2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard.
![Image of Welcome screen for portal set up](images/welcome1.png)
You will need to set up your preferences for Microsoft Defender Security Center.
3. Set up preferences
![Image of geographic location in set up](images/setup-preferences.png)
1. **Select data storage location** <br> When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
> [!WARNING]
> This option cannot be changed without completely offboarding from Microsoft Defender ATP and completing a new enrollment process.
2. **Select the data retention policy** <br> Microsoft Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
> [!NOTE]
> This option can be changed at a later time.
3. **Select the size of your organization** <br> You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
> [!NOTE]
> The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
4. **Turn on preview features** <br> Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
- Toggle the setting between On and Off to choose **Preview features**.
> [!NOTE]
> This option can be changed at a later time.
4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
> [!NOTE]
> Some of these options can be changed at a later time in Microsoft Defender Security Center.
![Image of final preference set up](images/setup-preferences2.png)
5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
- [Onboard Windows 10 machines](configure-endpoints.md)
- Run detection test (optional)
![Image of Onboard machines and run detection test](images/atp-onboard-endpoints-run-detection-test.png)
> [!IMPORTANT]
> If you click **Start using Microsoft Defender ATP** before onboarding machines you will receive the following notification:
> ![Image of setup imcomplete](images/atp-setup-incomplete.png)
7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time.
## Related topics
- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md)
- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md)

62
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Microsoft Defender ATP for Linux manually
ms.reviewer:
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---
@ -37,29 +37,29 @@ Before you get started, see [Microsoft Defender ATP for Linux](microsoft-defende
## Configure the Linux software repository
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
### RHEL and variants (CentOS and Oracle EL)
### RHEL and variants (CentOS and Oracle Linux)
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
> [!NOTE]
> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”.
> In case of Oracle Linux, replace *[distro]* with “rhel”.
```bash
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel:
For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
```bash
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
```
- Install the Microsoft GPG public key:
@ -67,12 +67,18 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
```
```bash
sudo rpm --import microsoft.asc
```
- Download and make usable all the metadata for the currently enabled yum repositories:
- Install `yum-utils` if it is not already installed:
```bash
sudo yum install yum-utils
```
- Download and make usable all the metadata for the currently enabled yum repositories:
```bash
yum makecache
@ -85,10 +91,10 @@ In order to preview new features and provide early feedback, it is recommended t
In the following commands, replace *[distro]* and *[version]* with the information you've identified:
```bash
sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel:
For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
```bash
sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
@ -99,7 +105,7 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
```
```bash
rpm --import microsoft.asc
```
@ -112,6 +118,12 @@ In order to preview new features and provide early feedback, it is recommended t
sudo apt-get install curl
```
- Install `libplist-utils` if it is not already installed:
```bash
sudo apt-get install libplist-utils
```
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`.
In the below command, replace *[distro]* and *[version]* with the information you've identified:
@ -120,10 +132,10 @@ In order to preview new features and provide early feedback, it is recommended t
curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
```
For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insider-fast* channel:
For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
```bash
curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
```
- Install the repository configuration:
@ -141,12 +153,7 @@ In order to preview new features and provide early feedback, it is recommended t
- Install the Microsoft GPG public key:
```bash
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
```
```bash
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
```
- Install the https driver if it's not already present:
@ -163,7 +170,7 @@ In order to preview new features and provide early feedback, it is recommended t
## Application installation
- RHEL and variants (CentOS and Oracle EL):
- RHEL and variants (CentOS and Oracle Linux):
```bash
sudo yum install mdatp
@ -193,7 +200,7 @@ Download the onboarding package from Microsoft Defender Security Center:
4. From a command prompt, verify that you have the file.
Extract the contents of the archive:
```bash
ls -l
total 8
@ -234,6 +241,9 @@ Download the onboarding package from Microsoft Defender Security Center:
1
```
> [!IMPORTANT]
> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine:
- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
@ -246,7 +256,7 @@ Download the onboarding package from Microsoft Defender Security Center:
- Open a Terminal window. Copy and execute the following command:
``` bash
curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
```
- The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:

80
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Microsoft Defender ATP for Linux with Ansible
ms.reviewer:
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---
@ -36,14 +36,14 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
- Ansible needs to be installed on at least on one computer (we will call it the master).
- Passwordless SSH must be configured for the root user between the master and all clients.
- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
- The following software must be installed on all clients:
- Python-apt
- Curl
- Unzip
- curl
- python-apt
- unzip
- All hosts must be listed in the following format in the `/etc/ansible/hosts` file:
- All host must be listed in the following format in the `/etc/ansible/hosts` file:
```bash
[servers]
host1 ansible_ssh_host=10.171.134.39
@ -67,7 +67,7 @@ Download the onboarding package from Microsoft Defender Security Center:
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
$ ls -l
total 8
@ -79,12 +79,11 @@ Download the onboarding package from Microsoft Defender Security Center:
## Create Ansible YAML files
Create subtask or role files that contribute to an actual task. Create the following files under the `/etc/ansible/roles` directory.
Create subtask or role files that contribute to an actual task. First create the `copy_onboarding_pkg.yml` file under the `/etc/ansible/roles` directory:
- Copy the onboarding package to all client machines:
```bash
$ cat /etc/ansible/roles/copy_onboarding_pkg.yml
- name: Copy the zip file
copy:
src: /root/WindowsDefenderATPOnboardingPackage.zip
@ -92,29 +91,33 @@ Create subtask or role files that contribute to an actual task. Create the follo
owner: root
group: root
mode: '0644'
- name: Add Microsoft apt signing key
apt_key:
url: https://packages.microsoft.com/keys/microsoft.asc
state: present
when: ansible_os_family == "Debian"
```
- Create a `setup.sh` script that operates on the onboarding file:
- Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory:
```bash
$ cat /root/setup.sh
#!/bin/bash
# We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root
cd /root || exit 1
# Unzip the archive and create the onboarding file
mkdir -p /etc/opt/microsoft/mdatp/
unzip WindowsDefenderATPOnboardingPackage.zip
cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
# get the GPG key
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
```
- Create the onboarding file:
- Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory:
```bash
$ cat setup_blob.yml
- name: Register mdatp_onboard.json
stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json
register: mdatp_onboard
- name: Copy the setup script file
copy:
src: /root/setup.sh
@ -124,46 +127,41 @@ Create subtask or role files that contribute to an actual task. Create the follo
mode: '0744'
- name: Run a script to create the onboarding file
script: /root/setup.sh
script: /root/setup.sh
when: not mdatp_onboard.stat.exists
```
- Add the Microsoft Defender ATP repository and key.
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository.
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified.
> [!NOTE]
> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”.
- For apt-based distributions use the following YAML file:
> In case of Oracle Linux, replace *[distro]* with “rhel”.
```bash
$ cat add_apt_repo.yml
- name: Add Microsoft repository for MDATP
- name: Add Microsoft apt repository for MDATP
apt_repository:
repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
update_cache: yes
state: present
filename: microsoft-[channel].list
when: ansible_os_family == "Debian"
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229C
```
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229C
when: ansible_os_family == "Debian"
- For yum-based distributions use the following YAML file:
```bash
$ cat add_yum_repo.yml
- name: Add Microsoft repository for MDATP
- name: Add Microsoft yum repository for MDATP
yum_repository:
name: packages-microsoft-com-prod-[channel]
description: Microsoft Defender ATP
@ -171,6 +169,7 @@ Create subtask or role files that contribute to an actual task. Create the follo
baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
gpgcheck: yes
enabled: Yes
when: ansible_os_family == "RedHat"
```
- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`.
@ -233,6 +232,9 @@ Now run the tasks files under `/etc/ansible/playbooks/`.
$ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
```
> [!IMPORTANT]
> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes.
- Validation/configuration:
```bash

11
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
View File

@ -78,18 +78,18 @@ install_mdatp
### Contents of `install_mdatp/manifests/init.pp`
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository.
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
> [!NOTE]
> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”.
> In case of Oracle Linux, replace *[distro]* with “rhel”.
```puppet
class install_mdatp {
@ -167,6 +167,9 @@ $ mdatp --health healthy
The above command prints `1` if the product is onboarded and functioning as expected.
> [!IMPORTANT]
> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
- 1 if the device is not yet onboarded.

16
windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
View File

@ -35,7 +35,7 @@ This topic describes the structure of this profile (including a recommended prof
The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.
Typically, you would use a configuration management tool to push a file with the name ```mdatp_maanged.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```.
Typically, you would use a configuration management tool to push a file with the name ```mdatp_managed.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```.
The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
@ -51,7 +51,7 @@ The *antivirusEngine* section of the configuration profile is used to manage the
#### Enable / disable real-time protection
Detemines whether real-time protection (scan files as they are accessed) is enabled or not.
Determines whether real-time protection (scan files as they are accessed) is enabled or not.
|||
|:---|:---|
@ -61,7 +61,7 @@ Detemines whether real-time protection (scan files as they are accessed) is enab
#### Enable / disable passive mode
Detemines whether the antivirus engine runs in passive mode or not. In passive mode:
Determines whether the antivirus engine runs in passive mode or not. In passive mode:
- Real-time protection is turned off.
- On-demand scanning is turned on.
- Automatic threat remediation is turned off.
@ -351,6 +351,16 @@ The following configuration profile contains entries for all settings described
}
```
## Configuration profile validation
The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
```bash
$ python -m json.tool mdatp_managed.json
```
If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.

2
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -68,7 +68,7 @@ There are several ways to uninstall Microsoft Defender ATP for Linux. If you are
### Manual uninstallation
- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle EL).
- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle Linux).
- ```sudo zypper remove mdatp``` for SLES and variants.
- ```sudo apt-get purge mdatp``` for Ubuntu and Debian systems.

8
windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
View File

@ -33,7 +33,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line:
```bash
HTTPS_PROXY=http://proxy.server:port/
HTTPS_PROXY="http://proxy.server:port/"
```
- The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
@ -48,7 +48,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
```bash
$ HTTPS_PROXY=http://proxy.server:port/" apt install mdatp
$ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
```
> [!NOTE]
@ -62,12 +62,12 @@ Note that installation and uninstallation will not necessarily fail if a proxy i
After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
- Uncomment the line `#Environment=HTTPS_PROXY="http://address:port` and specify your static proxy address.
- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address.
- Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
```bash
HTTPS_PROXY=http://proxy.server:port/
HTTPS_PROXY="http://proxy.server:port/"
```
After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:

2
windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
View File

@ -28,7 +28,7 @@ Microsoft regularly publishes software updates to improve performance, security,
To update Microsoft Defender ATP for Linux manually, execute one of the following commands:
## RHEL and variants (CentOS and Oracle EL)
## RHEL and variants (CentOS and Oracle Linux)
```bash
sudo yum update mdatp

2
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -27,6 +27,8 @@ Live response is a capability that gives you instantaneous access to a machine u
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW]
With live response, analysts will have the ability to:
- Run basic and advanced commands to do investigative work
- Download files such as malware samples and outcomes of PowerShell scripts

2
windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
View File

@ -67,7 +67,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path.
```bash
$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt
$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).

27
windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
View File

@ -356,11 +356,15 @@ Specifies the value of tag
| **Data type** | String |
| **Possible values** | any string |
> [!IMPORTANT]
> - Only one value per tag type can be set.
> - Type of tags are unique, and should not be repeated in the same configuration profile.
## Recommended configuration profile
To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
To get started, we recommend the following configuration for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
The following configuration profile will:
The following configuration profile (or, in case of JAMF, a property list that could be uploaded into the custom settings configuration profile) will:
- Enable real-time protection (RTP)
- Specify how the following threat types are handled:
- **Potentially unwanted applications (PUA)** are blocked
@ -368,7 +372,7 @@ The following configuration profile will:
- Enable cloud-delivered protection
- Enable automatic sample submission
### JAMF profile
### Property list for JAMF configuration profile
```XML
<?xml version="1.0" encoding="UTF-8"?>
@ -487,9 +491,9 @@ The following configuration profile will:
## Full configuration profile example
The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
The following templates contain entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
### JAMF profile
### Property list for JAMF configuration profile
```XML
<?xml version="1.0" encoding="UTF-8"?>
@ -730,13 +734,24 @@ The following configuration profile contains entries for all settings described
</array>
```
## Property list validation
The property list must be a valid *.plist* file. This can be checked by executing:
```bash
$ plutil -lint com.microsoft.wdav.plist
com.microsoft.wdav.plist: OK
```
If the file is well-formed, the above command outputs `OK` and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.
### JAMF deployment
From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the .plist produced earlier.
From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the *.plist* produced earlier.
>[!CAUTION]
>You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender ATP.

11
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -13,7 +13,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---
@ -59,7 +59,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
@ -72,6 +72,7 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
### From the command line
- ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
- ```sudo rm -rf '/Library/Application Support/Microsoft/Defender/'```
## Configuring from the command line
@ -98,6 +99,10 @@ Important tasks, such as controlling product settings and triggering on-demand s
|EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` |
## Client Microsoft Defender ATP quarantine directory
`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
## Microsoft Defender ATP portal information
[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center.
[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center.

54
windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Troubleshoot installation issues for Microsoft Defender ATP for Mac
description: Troubleshoot installation issues in Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, install
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot installation issues for Microsoft Defender ATP for Mac
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Installation failed
For manual installation, it is Summary page of the installation wizard that says "An error occurred during installation. The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance". For MDM deployments it would be exposed as a generic installation failure as well.
While we do not expose exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file, you can use `sed` to output the last installation session only:
```bash
$ sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804
INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695
correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC
[ERROR] Downgrade from 100.88.54 to 100.87.80 is not permitted
preinstall com.microsoft.wdav end [2020-03-11 13:08:49 -0700] 804 => 1
```
In the example above the actual reason is prefixed with `[ERROR]`.
The installation failed because a downgrade between these versions is not supported.
## No MDATP's install log
In rare cases installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file.
You can verify that installation happened and analyze possible errors by querying macOS logs (this can be helpful in case of MDM deployment, when there is no client UI). It is recommended to have a narrow time window to query and filter by the logging process name, as there will be huge amount of information;
```bash
grep '^2020-03-11 13:08' /var/log/install.log
log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style syslog
```

46
windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Troubleshoot license issues for Microsoft Defender ATP for Mac
description: Troubleshoot license issues in Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, performance
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot license issues for Microsoft Defender ATP for Mac
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
While you are going through [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error:
![Image of license error](images/no-license-found.png)
**Message:**
No license found
Looks like your organization does not have a license for Microsoft 365 Enterprise subscription.
Contact your administrator for help.
**Cause:**
You deployed and/or installed the MDATP for macOS package ("Download installation package") but you might have run the configuration script ("Download onboarding package").
**Solution:**
Follow the WindowsDefenderATPOnboarding.py instructions documented here:
[Client configuration](mac-install-manually.md#client-configuration)

7
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -26,6 +26,13 @@ ms.topic: conceptual
>
> If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
## 100.86.92
- Improvements around compatibility with Time Machine
- Addressed an issue where the product was sometimes not cleaning all files under `/Library/Application Support/Microsoft/Defender` during uninstallation
- Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate
- Other performance improvements & bug fixes
## 100.86.91
> [!CAUTION]

3
windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
View File

@ -34,6 +34,9 @@ Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution th
Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ]
The integration provides the following major improvements to the existing Cloud App Security discovery:
- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.

14
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
View File

@ -24,6 +24,7 @@ ms.topic: conceptual
> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
<p></p>
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
@ -58,7 +59,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
</tr>
<tr>
<td colspan="7">
<a href="#apis"><center><b>Management and APIs</a></b></center></td>
<a href="#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>
</tr>
<tr>
<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
@ -115,7 +116,7 @@ Microsoft Defender ATP's new managed threat hunting service provides proactive h
<a name="apis"></a>
**[Management and APIs](management-apis.md)**<br>
**[Centralized configuration and administration, APIs](management-apis.md)**<br>
Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
<a name="mtp"></a>
@ -132,15 +133,6 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**<br>
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
## In this section
To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Microsoft Defender Security Center.
Topic | Description
:---|:---
[Overview](overview.md) | Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform.
[Minimum requirements](minimum-requirements.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Microsoft Defender ATP.
[Configure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Microsoft Defender ATP.
[Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) | Learn how to address issues that you might encounter while using the platform.
## Related topic
[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)

11
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -20,6 +20,15 @@ ms.topic: conceptual
# Microsoft Defender ATP for Linux
> [!IMPORTANT]
> **PUBLIC PREVIEW EDITION**
>
> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
>
> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4q3yP]
@ -73,7 +82,7 @@ In general you need to take the following steps:
- Ubuntu 16.04 LTS or higher LTS
- Debian 9 or higher
- SUSE Linux Enterprise Server 12 or higher
- Oracle Enterprise Linux 7
- Oracle Linux 7
- Minimum kernel version 2.6.38
- The `fanotify` kernel option must be enabled

6
windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
View File

@ -24,7 +24,11 @@ ms.topic: conceptual
Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments dont get missed.
This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
Watch this video for a quick overview of Microsoft Threat Experts.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qZ0B]
## Before you begin

6
windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
View File

@ -28,7 +28,7 @@ There are some minimum requirements for onboarding machines to the service. Lear
>[!TIP]
>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
## Licensing requirements
@ -37,8 +37,10 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product.
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
@ -72,7 +74,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2016, version 1803
- Windows Server, version 1803 or later
- Windows Server 2019
Machines on your network must be running one of these editions.

71
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -1,15 +1,15 @@
---
title: Threat & Vulnerability Management
description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration asessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities
keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities, next generation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -18,52 +18,83 @@ ms.topic: conceptual
---
# Threat & Vulnerability Management
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
Watch this video for a quick overview of Threat & Vulnerability Management.
Watch this video for a quick overview of Threat & Vulnerability Management.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn]
## Next-generation capabilities
Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
## Next-generation capabilities
Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager.
It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
- Built-in remediation processes through Microsoft Intune and Configuration Manager
- Built-in remediation processes through Microsoft Intune and Configuration Manager
### Real-time discovery
To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
- Visibility into software and vulnerabilities. Optics into the organizations software inventory, and software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
- Application runtime context. Visibility on application usage patterns for better prioritization and decision-making.
- Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.
### Intelligence-driven prioritization
Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
- Protecting high-value assets. Microsoft Defender ATPs integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
### Seamless remediation
Microsoft Defender ATPs Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
- Remediation requests to IT. Through Microsoft Defender ATPs integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
## Before you begin
Ensure that your machines:
- Are onboarded to Microsoft Defender Advanced Threat Protection
- Run with Windows 10 1709 (Fall Creators Update) or later
>[!NOTE]
>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
> Release | Security update KB number and link
> :---|:---
> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the machine page
- Are tagged or marked as co-managed
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
@ -79,4 +110,4 @@ Microsoft Defender ATPs Threat & Vulnerability Management allows security adm
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [BLOG: Microsofts Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)
- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)

7
windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
View File

@ -28,11 +28,14 @@ Offboard machine from Microsoft Defender ATP.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
- Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
>[!Note]
> This does not support offboarding macOS Devices.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -83,4 +86,4 @@ Content-type: application/json
{
"Comment": "Offboard machine by automation"
}
```
```

12
windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
View File

@ -25,6 +25,18 @@ ms.topic: article
To onboard machines without Internet access, you'll need to take the following general steps:
> [!IMPORTANT]
> The steps below are applicable only to machines running previous versions of Windows such as:
Windows Server 2016 and earlier or Windows 8.1 and earlier.
> [!NOTE]
> An OMS gateway server can still be used as proxy for disconnected Windows 10 machines when configured via 'TelemetryProxyServer' registry or GPO.
For more information, see the following articles:
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)
- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
## On-premise machines
- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:

458
windows/security/threat-protection/microsoft-defender-atp/onboarding.md Normal file
View File

@ -0,0 +1,458 @@
---
title: Onboard to the Micrsoft Defender ATP service
description:
keywords:
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Onboard to the Micrsoft Defender ATP service
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Deploying Microsoft Defender ATP is a three-phase process:
<br>
<table border="0" width="100%" align="center">
<tr style="text-align:center;">
<td align="center" style="width:25%; border:0;" >
<a href= "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment">
<img src="images/prepare.png" alt="Prepare to deploy Microsoft Defender ATP" title="Prepare" />
<br/>Phase 1: Prepare </a><br>
</td>
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
<img src="images/setup.png" alt="Setup the Microsoft Defender ATP service" title="Setup" />
<br/>Phase 2: Setup </a><br>
</td>
<td align="center" bgcolor="#d5f5e3">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
<img src="images/onboard.png" alt="Onboard" title="Onboard to the Microsoft Defender ATP service" />
<br/>Phase 3: Onboard </a><br>
</td>
</tr>
</table>
You are currently in the onboarding phase.
To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment.
This article will guide you on:
- Setting up Microsoft Endpoint Configuration Manager
- Endpoint detection and response configuration
- Next-generation protection configuration
- Attack surface reduction configuration
## Onboarding using Microsoft Endpoint Configuration Manager
### Collection creation
To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
deployment can target either and existing collection or a new collection can be
created for testing. The onboarding like group policy or manual method does
not install any agent on the system. Within the Configuration Manager console
the onboarding process will be configured as part of the compliance settings
within the console. Any system that receives this required configuration will
maintain that configuration for as long as the Configuration Manager client
continues to receive this policy from the management point. Follow the steps
below to onboard systems with Configuration Manager.
1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-device-collections.png)
2. Right Click **Device Collection** and select **Create Device Collection**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-device-collection.png)
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-limiting-collection.png)
4. Select **Add Rule** and choose **Query Rule**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-query-rule.png)
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-direct-membership.png)
6. Select **Criteria** and then choose the star icon.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-criteria.png)
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-simple-value.png)
8. Select **Next** and **Close**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-membership-rules.png)
9. Select **Next**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-confirm.png)
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
## Endpoint detection and response
### Windows 10
From within the Microsoft Defender Security Center it is possible to download
the '.onboarding' policy that can be used to create the policy in System Center Configuration
Manager and deploy that policy to Windows 10 devices.
1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager **.
![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png)
3. Select **Download package**.
![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png)
4. Save the package to an accessible location.
5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-policy.png)
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-policy-name.png)
8. Click **Browse**.
9. Navigate to the location of the downloaded file from step 4 above.
![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png)
10. Click **Next**.
11. Configure the Agent with the appropriate samples (**None** or **All file types**).
![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png)
12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
![Image of configuration settings](images/13201b477bc9a9ae0020814915fe80cc.png)
14. Verify the configuration, then click **Next**.
![Image of configuration settings](images/adc17988b0984ca2aa3ff8f41ddacaf9.png)
15. Click **Close** when the Wizard completes.
16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
![Image of configuration settings](images/4a37f3687e6ff53a593d3670b1dad3aa.png)
17. On the right panel, select the previously created collection and click **OK**.
![Image of configuration settings](images/26efa2711bca78f6b6d73712f86b5bd9.png)
### Previous versions of Windows Client (Windows 7 and Windows 8.1)
Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
2. Under operating system choose **Windows 7 SP1 and 8.1**.
![Image of onboarding](images/91b738e4b97c4272fd6d438d8c2d5269.png)
3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
Edit the InstallMMA.cmd with a text editor, such as notepad and update the
following lines and save the file:
![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
Systems:
- Server SKUs: Windows Server 2008 SP1 or Newer
- Client SKUs: Windows 7 SP1 and later
The MMA agent will need to be installed on Windows devices. To install the
agent, some systems will need to download the [Update for customer experience
and diagnostic
telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
in order to collect the data with MMA. These system versions include but may not
be limited to:
- Windows 8.1
- Windows 7
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2
Specifically, for Windows 7 SP1, the following patches must be installed:
- Install
[KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
- Install either [.NET Framework
4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
later) **or**
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
Do not install both on the same system.
To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
below to utilize the provided batch files to onboard the systems. The CMD file
when executed, will require the system to copy files from a network share by the
System, the System will install MMA, Install the DependencyAgent, and configure
MMA for enrollment into the workspace.
1. In Microsoft Endpoint Configuration Manager console, navigate to **Software
Library**.
2. Expand **Application Management**.
3. Right-click **Packages** then select **Create Package**.
4. Provide a Name for the package, then click **Next**
![Image of Microsoft Endpoint Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png)
5. Verify **Standard Program** is selected.
![Image of Microsoft Endpoint Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png)
6. Click **Next**.
![Image of Microsoft Endpoint Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png)
7. Enter a program name.
8. Browse to the location of the InstallMMA.cmd.
9. Set Run to **Hidden**.
10. Set **Program can run** to **Whether or not a user is logged on**.
11. Click **Next**.
12. Set the **Maximum allowed run time** to 720.
13. Click **Next**.
![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png)
14. Verify the configuration, then click **Next**.
![Image of Microsoft Endpoint Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png)
15. Click **Next**.
16. Click **Close**.
17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
Onboarding Package just created and select **Deploy**.
18. On the right panel select the appropriate collection.
19. Click **OK**.
## Next generation protection
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
![Image of antimalware policy](images/9736e0358e86bc778ce1bd4c516adb8b.png)
2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
![Image of next generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png)
In certain industries or some select enterprise customers might have specific
needs on how Antivirus is configured.
[Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
![Image of next generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png)
![Image of next generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png)
![Image of next generation protection pane](images/a28afc02c1940d5220b233640364970c.png)
![Image of next generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png)
![Image of next generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png)
![Image of next generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png)
![Image of next generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png)
![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png)
3. Right-click on the newly created antimalware policy and select **Deploy** .
![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png)
4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
![Image of next generation protection pane](images/26efa2711bca78f6b6d73712f86b5bd9.png)
After completing this task, you now have successfully configured Windows
Defender Antivirus.
## Attack surface reduction
The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
Protection.
All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
To set ASR rules in Audit mode:
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
![Image of Microsoft Endpoint Configuration Manager console](images/728c10ef26042bbdbcd270b6343f1a8a.png)
2. Select **Attack Surface Reduction**.
3. Set rules to **Audit** and click **Next**.
![Image of Microsoft Endpoint Configuration Manager console](images/d18e40c9e60aecf1f9a93065cb7567bd.png)
4. Confirm the new Exploit Guard policy by clicking on **Next**.
![Image of Microsoft Endpoint Configuration Manager console](images/0a6536f2c4024c08709cac8fcf800060.png)
5. Once the policy is created click **Close**.
![Image of Microsoft Endpoint Configuration Manager console](images/95d23a07c2c8bc79176788f28cef7557.png)
6. Right-click on the newly created policy and choose **Deploy**.
![Image of Microsoft Endpoint Configuration Manager console](images/8999dd697e3b495c04eb911f8b68a1ef.png)
7. Target the policy to the newly created Windows 10 collection and click **OK**.
![Image of Microsoft Endpoint Configuration Manager console](images/0ccfe3e803be4b56c668b220b51da7f7.png)
After completing this task, you now have successfully configured ASR rules in audit mode.
Below are additional steps to verify whether ASR rules are correctly applied to
endpoints. (This may take few minutes)
1. From a web browser, navigate to <https://securitycenter.windows.com>.
2. Select **Configuration management** from left side menu.
![A screenshot of a cell phone Description automatically generated](images/653db482c7ccaf31d06f29fb2aa24b7a.png)
3. Click **Go to attack surface management** in the Attack surface management panel.
![Image of attack surface management](images/3a01c7970ce3ec977a35883c0a01f0a2.png)
4. Click **Configuration** tab in Attack Surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
![A screenshot of attack surface reduction rules reports](images/f91f406e6e0aae197a947d3b0e8b2d0d.png)
5. Click each device shows configuration details of ASR rules.
![A screenshot of attack surface reduction rules reports](images/24bfb16ed561cbb468bd8ce51130ca9d.png)
See [Optimize ASR rule deployment and
detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
### To set Network Protection rules in Audit mode:
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
![A screenshot System Center Confirugatiom Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png)
2. Select **Network protection**.
3. Set the setting to **Audit** and click **Next**.
![A screenshot System Center Confirugatiom Manager](images/c039b2e05dba1ade6fb4512456380c9f.png)
4. Confirm the new Exploit Guard Policy by clicking **Next**.
![A screenshot Exploit GUard policy](images/0a6536f2c4024c08709cac8fcf800060.png)
5. Once the policy is created click on **Close**.
![A screenshot Exploit GUard policy](images/95d23a07c2c8bc79176788f28cef7557.png)
6. Right-click on the newly created policy and choose **Deploy**.
![A screenshot Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png)
7. Select the policy to the newly created Windows 10 collection and choose **OK**.
![A screenshot Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png)
After completing this task, you now have successfully configured Network
Protection in audit mode.
### To set Controlled Folder Access rules in Audit mode:
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
![A screenshot of Microsoft Endpoint Configuration Manager ](images/728c10ef26042bbdbcd270b6343f1a8a.png)
2. Select **Controlled folder access**.
3. Set the configuration to **Audit** and click **Next**.
![A screenshot of Microsoft Endpoint Configuration Manager ](images/a8b934dab2dbba289cf64fe30e0e8aa4.png)
4. Confirm the new Exploit Guard Policy by clicking on **Next**.
![A screenshot of Microsoft Endpoint Configuration Manager ](images/0a6536f2c4024c08709cac8fcf800060.png)
5. Once the policy is created click on **Close**.
![A screenshot of Microsoft Endpoint Configuration Manager ](images/95d23a07c2c8bc79176788f28cef7557.png)
6. Right-click on the newly created policy and choose **Deploy**.
![A screenshot of Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png)
7. Target the policy to the newly created Windows 10 collection and click **OK**.
![A screenshot of Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png)
After completing this task, you now have successfully configured Controlled folder access in audit mode.

46
windows/security/threat-protection/microsoft-defender-atp/overview.md
View File

@ -1,46 +0,0 @@
---
title: Overview of Microsoft Defender ATP
ms.reviewer:
description: Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform
keywords: atp, microsoft defender atp, defender, mdatp, threat protection, platform, threat, vulnerability, asr, attack, surface, reduction, next-gen, protection, edr, endpoint, detection, response, automated, air, cyber threat hunting, advanced hunting
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Overview of Microsoft Defender ATP capabilities
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform.
>[!TIP]
>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
## In this section
Topic | Description
:---|:---
[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) | Reduce organizational vulnerability exposure and increase threat resilience while seamlessly connecting workflows across security stakeholders—security administrators, security operations, and IT administrators in remediating threats.
[Attack surface reduction](overview-attack-surface-reduction.md) | Leverage exploit protection, attack surface reduction rules, and other capabilities to protect the perimeter of your organization. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs.
[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Microsoft Defender ATP so you can protect desktops, portable computers, and servers.
[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats.
[Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
[Configuration score](configuration-score.md) | Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls.
[Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand. <p><p>**NOTE:** <p>Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.<p>If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
[Advanced hunting](advanced-hunting-overview.md) | Use a powerful query-based threat-hunting tool to proactively find breach activity and create custom detection rules.
[Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows.
[Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other how Microsoft Defender ATP works with other Microsoft security solutions.
[Portal overview](portal-overview.md) |Learn to navigate your way around Microsoft Defender Security Center.

84
windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
View File

@ -22,9 +22,54 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Deploying Microsoft Defender ATP is a three-phase process:
<br>
<table border="0" width="100%" align="center">
<tr style="text-align:center;">
<td align="center" style="width:25%; border:0;" bgcolor="#d5f5e3">
<a href= "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment">
<img src="images/prepare.png" alt="Plan to deploy Microsoft Defender ATP" title="Plan" />
<br/>Phase 1: Prepare </a><br>
</td>
<td align="center" >
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
<img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup the Microsoft Defender ATP service" />
<br/>Phase 2: Setup </a><br>
</td>
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
<img src="images/onboard.png" alt="Configure capabilities" title="Configure capabilities" />
<br/>Phase 3: Onboard</a><br>
</td>
</tr>
<tr>
<td style="width:25%; border:0;">
</td>
<td valign="top" style="width:25%; border:0;">
</td>
<td valign="top" style="width:25%; border:0;">
</td>
</tr>
</table>
You are currently in the preparation phase.
Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender ATP.
## Stakeholders and Sign-off
The following section serves to identify all the stakeholders that are involved
in this project and need to sign-off, review, or stay informed. Add stakeholders
in the project and need to sign-off, review, or stay informed.
Add stakeholders
to the table below as appropriate for your organization.
- SO = Sign-off on this project
@ -41,33 +86,6 @@ to the table below as appropriate for your organization.
| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.* | R |
| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I |
## Project Management
### In Scope
The following is in scope for this project:
- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
capabilities
- Next Generation Protection
- Attack Surface Reduction
- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
capabilities including automatic investigation and remediation
- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service.
### Out of scope
The following are out of scope of this project:
- Configuration of third-party solutions that might integrate with Microsoft
Defender ATP.
- Penetration testing in production environment.
## Environment
@ -140,8 +158,9 @@ structure required for your environment.
## Adoption Order
In many cases, organizations will have existing endpoint security products in
place. The bare minimum every organization should have is an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already.
Historically, replacing any security solution used to be time intensive and difficult
to achieve, due to the tight hooks into the application layer and infrastructure
to achieve due to the tight hooks into the application layer and infrastructure
dependencies. However, because Microsoft Defender ATP is built into the
operating system, replacing third-party solutions is now easy to achieve.
@ -158,5 +177,8 @@ how the endpoint security suite should be enabled.
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
## Related topic
- [Production deployment](production-deployment.md)
## Next step
|||
|:-------|:-----|
|![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md) | Setup Microsoft Defender ATP deployment

13
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -24,14 +24,15 @@ ms.topic: conceptual
The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md).
## Turn on preview features
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
Turn on the preview experience setting to be among the first to try upcoming features.
@ -41,17 +42,19 @@ Turn on the preview experience setting to be among the first to try upcoming fea
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
## Preview features
The following features are included in the preview release:
- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) <br> Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information.
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. See [Secure Configuration Assessment (SCA) for Windows Server now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-configuration-assessment-sca-for-windows-server-now-in/ba-p/1243885) and [Reducing risk with new Threat & Vulnerability Management capabilities](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/reducing-risk-with-new-threat-amp-vulnerability-management/ba-p/978145) blogs for more information.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.
- [Machine health and compliance report](machine-reports.md) <br/> The machine health and compliance report provides high-level information about the devices in your organization.
- [Information protection](information-protection-in-windows-overview.md)<BR>
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.

75
windows/security/threat-protection/microsoft-defender-atp/product-brief.md
View File

@ -1,75 +0,0 @@
---
title: Microsoft Defender Advanced Threat Protection product brief
description: Learn about the Microsoft Defender Advanced Threat Protection capabilities and licensing requirements
keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Defender Advanced Threat Protection product brief
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Microsoft Defender ATP is a platform designed to
help enterprise networks prevent, detect, investigate, and respond to advanced
threats.
![Image of the Microsoft Defender ATP components](images/mdatp-platform.png)
## Platform capabilities
Capability | Description
:---|:---
**Threat and Vulnerability Management** | This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
**Attack Surface Reduction** | The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
**Next Generation Protection** | To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
**Microsoft Threat Experts** | Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
**Configuration Score** | Microsoft Defender ATP includes configuration score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization.
**Advance Hunting** | Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in the organization.
**Management and API** | Integrate Microsoft Defender Advanced Threat Protection into existing workflows.
**Microsoft Threat Protection** | Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to the organization. | |
Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
- **Cloud security analytics**: Leveraging big-data, machine-learning, and
unique Microsoft optics across the Windows ecosystem,
enterprise cloud products (such as Office 365), and online assets, behavioral signals
are translated into insights, detections, and recommended responses
to advanced threats.
- **Threat intelligence**: Generated by Microsoft hunters, security teams,
and augmented by threat intelligence provided by partners, threat
intelligence enables Microsoft Defender ATP to identify attacker
tools, techniques, and procedures, and generate alerts when these
are observed in collected sensor data.
## Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
- Microsoft 365 A5 (M365 A5)
## Related topic
- [Prepare deployment](prepare-deployment.md)

469
windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
View File

@ -1,5 +1,5 @@
---
title: Microsoft Defender ATP production deployment
title: Setup Microsoft Defender ATP deployment
description:
keywords:
search.product: eADQiWindows 10XVcnh
@ -17,21 +17,74 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Defender ATP production deployment
# Setup Microsoft Defender ATP deployment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Proper planning is the foundation of a successful deployment. In this deployment scenario, you'll be guided through the steps on:
Deploying Microsoft Defender ATP is a three-phase process:
<br>
<table border="0" width="100%" align="center">
<tr style="text-align:center;">
<td align="center" style="width:25%; border:0;" >
<a href= "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment">
<img src="images/prepare.png" alt="Prepare to deploy Microsoft Defender ATP" title="Prepare" />
<br/>Phase 1: Prepare </a><br>
</td>
<td align="center"bgcolor="#d5f5e3">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
<img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup" />
<br/>Phase 2: Setup </a><br>
</td>
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
<img src="images/onboard.png" alt="Onboard" title="Onboard" />
<br/>Phase 3: Onboard </a><br>
</td>
</tr>
</table>
You are currently in the setup phase.
In this deployment scenario, you'll be guided through the steps on:
- Licensing validation
- Tenant configuration
- Network configuration
- Onboarding using Microsoft Endpoint Configuration Manager
- Endpoint detection and response
- Next generation protection
- Attack surface reduction
>[!NOTE]
>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
## Check license state
Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
![Image of Azure Licensing page](images/atp-licensing-azure-portal.png)
1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
- On the screen you will see all the provisioned licenses and their current **Status**.
![Image of billing licenses](images/atp-billing-subscriptions.png)
## Cloud Service Provider validation
To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
1. From the **Partner portal**, click on the **Administer services > Office 365**.
2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.
![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png)
## Tenant Configuration
@ -111,7 +164,7 @@ under:
Preview Builds \> Configure Authenticated Proxy usage for the Connected User
Experience and Telemetry Service
- Set it to **Enabled** and select<EFBFBD>**Disable Authenticated Proxy usage**
- Set it to **Enabled** and select **Disable Authenticated Proxy usage**
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
@ -205,397 +258,7 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
## Onboarding using Microsoft Endpoint Configuration Manager
### Collection creation
To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
deployment can target either and existing collection or a new collection can be
created for testing. The onboarding like group policy or manual method does
not install any agent on the system. Within the Configuration Manager console
the onboarding process will be configured as part of the compliance settings
within the console. Any system that receives this required configuration will
maintain that configuration for as long as the Configuration Manager client
continues to receive this policy from the management point. Follow the steps
below to onboard systems with Configuration Manager.
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
![Image of Configuration Manager wizard](images/sccm-device-collections.png)
2. Right Click **Device Collection** and select **Create Device Collection**.
![Image of Configuration Manager wizard](images/sccm-create-device-collection.png)
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
![Image of Configuration Manager wizard](images/sccm-limiting-collection.png)
4. Select **Add Rule** and choose **Query Rule**.
![Image of Configuration Manager wizard](images/sccm-query-rule.png)
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
![Image of Configuration Manager wizard](images/sccm-direct-membership.png)
6. Select **Criteria** and then choose the star icon.
![Image of Configuration Manager wizard](images/sccm-criteria.png)
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
![Image of Configuration Manager wizard](images/sccm-simple-value.png)
8. Select **Next** and **Close**.
![Image of Configuration Manager wizard](images/sccm-membership-rules.png)
9. Select **Next**.
![Image of Configuration Manager wizard](images/sccm-confirm.png)
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
## Endpoint detection and response
### Windows 10
From within the Microsoft Defender Security Center it is possible to download
the '.onboarding' policy that can be used to create the policy in Microsoft Endpoint Configuration Manager and deploy that policy to Windows 10 devices.
1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
2. Under Deployment method select the supported version of **Configuration Manager**.
![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png)
3. Select **Download package**.
![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png)
4. Save the package to an accessible location.
5. In Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
![Image of Configuration Manager wizard](images/sccm-create-policy.png)
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
![Image of Configuration Manager wizard](images/sccm-policy-name.png)
8. Click **Browse**.
9. Navigate to the location of the downloaded file from step 4 above.
![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png)
10. Click **Next**.
11. Configure the Agent with the appropriate samples (**None** or **All file types**).
![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png)
12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
![Image of configuration settings](images/13201b477bc9a9ae0020814915fe80cc.png)
14. Verify the configuration, then click **Next**.
![Image of configuration settings](images/adc17988b0984ca2aa3ff8f41ddacaf9.png)
15. Click **Close** when the Wizard completes.
16. In the Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
![Image of configuration settings](images/4a37f3687e6ff53a593d3670b1dad3aa.png)
17. On the right panel, select the previously created collection and click **OK**.
![Image of configuration settings](images/26efa2711bca78f6b6d73712f86b5bd9.png)
### Previous versions of Windows Client (Windows 7 and Windows 8.1)
Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
2. Under operating system choose **Windows 7 SP1 and 8.1**.
![Image of onboarding](images/91b738e4b97c4272fd6d438d8c2d5269.png)
3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
Edit the InstallMMA.cmd with a text editor, such as notepad and update the
following lines and save the file:
![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
Systems:
- Server SKUs: Windows Server 2008 SP1 or Newer
- Client SKUs: Windows 7 SP1 and later
The MMA agent will need to be installed on Windows devices. To install the
agent, some systems will need to download the [Update for customer experience
and diagnostic
telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
in order to collect the data with MMA. These system versions include but may not
be limited to:
- Windows 8.1
- Windows 7
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2
Specifically, for Windows 7 SP1, the following patches must be installed:
- Install
[KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
- Install either [.NET Framework
4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
later) **or**
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
Do not install both on the same system.
To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
below to utilize the provided batch files to onboard the systems. The CMD file
when executed, will require the system to copy files from a network share by the
System, the System will install MMA, Install the DependencyAgent, and configure
MMA for enrollment into the workspace.
1. In the Configuration Manager console, navigate to **Software
Library**.
2. Expand **Application Management**.
3. Right-click **Packages** then select **Create Package**.
4. Provide a Name for the package, then click **Next**
![Image of Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png)
5. Verify **Standard Program** is selected.
![Image of Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png)
6. Click **Next**.
![Image of Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png)
7. Enter a program name.
8. Browse to the location of the InstallMMA.cmd.
9. Set Run to **Hidden**.
10. Set **Program can run** to **Whether or not a user is logged on**.
11. Click **Next**.
12. Set the **Maximum allowed run time** to 720.
13. Click **Next**.
![Image of Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png)
14. Verify the configuration, then click **Next**.
![Image of Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png)
15. Click **Next**.
16. Click **Close**.
17. In the Configuration Manager console, right-click the Microsoft Defender ATP
Onboarding Package just created and select **Deploy**.
18. On the right panel select the appropriate collection.
19. Click **OK**.
## Next generation protection
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
![Image of antimalware policy](images/9736e0358e86bc778ce1bd4c516adb8b.png)
2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
![Image of next generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png)
In certain industries or some select enterprise customers might have specific
needs on how Antivirus is configured.
[Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
![Image of next generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png)
![Image of next generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png)
![Image of next generation protection pane](images/a28afc02c1940d5220b233640364970c.png)
![Image of next generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png)
![Image of next generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png)
![Image of next generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png)
![Image of next generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png)
![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png)
3. Right-click on the newly created antimalware policy and select **Deploy** .
![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png)
4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
![Image of next generation protection pane](images/26efa2711bca78f6b6d73712f86b5bd9.png)
After completing this task, you now have successfully configured Windows
Defender Antivirus.
## Attack Surface Reduction
The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
Protection. All these features provide an audit mode and a block mode. In audit mode there is no end user impact all it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step by step move security controls into block mode.
To set ASR rules in Audit mode:
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
![Image of Configuration Manager console](images/728c10ef26042bbdbcd270b6343f1a8a.png)
2. Select **Attack Surface Reduction**.
3. Set rules to **Audit** and click **Next**.
![Image of Configuration Manager console](images/d18e40c9e60aecf1f9a93065cb7567bd.png)
4. Confirm the new Exploit Guard policy by clicking on **Next**.
![Image of Configuration Manager console](images/0a6536f2c4024c08709cac8fcf800060.png)
5. Once the policy is created click **Close**.
![Image of Configuration Manager console](images/95d23a07c2c8bc79176788f28cef7557.png)
6. Right-click on the newly created policy and choose **Deploy**.
![Image of Configuration Manager console](images/8999dd697e3b495c04eb911f8b68a1ef.png)
7. Target the policy to the newly created Windows 10 collection and click **OK**.
![Image of Configuration Manager console](images/0ccfe3e803be4b56c668b220b51da7f7.png)
After completing this task, you now have successfully configured ASR rules in audit mode.
Below are additional steps to verify whether ASR rules are correctly applied to
endpoints. (This may take few minutes)
1. From a web browser, navigate to <https://securitycenter.windows.com>.
2. Select **Configuration management** from left side menu.
![A screenshot of a cell phone Description automatically generated](images/653db482c7ccaf31d06f29fb2aa24b7a.png)
3. Click **Go to attack surface management** in the Attack surface management panel.
![Image of attack surface management](images/3a01c7970ce3ec977a35883c0a01f0a2.png)
4. Click **Configuration** tab in Attack Surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
![A screenshot of attack surface reduction rules reports](images/f91f406e6e0aae197a947d3b0e8b2d0d.png)
5. Click each device shows configuration details of ASR rules.
![A screenshot of attack surface reduction rules reports](images/24bfb16ed561cbb468bd8ce51130ca9d.png)
See [Optimize ASR rule deployment and
detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
### To set Network Protection rules in Audit mode:
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
![A screenshot Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png)
2. Select **Network protection**.
3. Set the setting to **Audit** and click **Next**.
![A screenshot Configuration Manager](images/c039b2e05dba1ade6fb4512456380c9f.png)
4. Confirm the new Exploit Guard Policy by clicking **Next**.
![A screenshot Exploit GUard policy](images/0a6536f2c4024c08709cac8fcf800060.png)
5. Once the policy is created click on **Close**.
![A screenshot Exploit GUard policy](images/95d23a07c2c8bc79176788f28cef7557.png)
6. Right-click on the newly created policy and choose **Deploy**.
![A screenshot Configuration Manager](images/8999dd697e3b495c04eb911f8b68a1ef.png)
7. Select the policy to the newly created Windows 10 collection and choose **OK**.
![A screenshot Configuration Manager](images/0ccfe3e803be4b56c668b220b51da7f7.png)
After completing this task, you now have successfully configured Network
Protection in audit mode.
### To set Controlled Folder Access rules in Audit mode:
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
![A screenshot of Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png)
2. Select **Controlled folder access**.
3. Set the configuration to **Audit** and click **Next**.
![A screenshot of Configuration Manager](images/a8b934dab2dbba289cf64fe30e0e8aa4.png)
4. Confirm the new Exploit Guard Policy by clicking on **Next**.
![A screenshot of Configuration Manager](images/0a6536f2c4024c08709cac8fcf800060.png)
5. Once the policy is created click on **Close**.
![A screenshot of Configuration Manager](images/95d23a07c2c8bc79176788f28cef7557.png)
6. Right-click on the newly created policy and choose **Deploy**.
![A screenshot of Configuration Manager](images/8999dd697e3b495c04eb911f8b68a1ef.png)
7. Target the policy to the newly created Windows 10 collection and click **OK**.
![A screenshot of Configuration Manager](images/0ccfe3e803be4b56c668b220b51da7f7.png)
After completing this task, you now have successfully configured Controlled folder access in audit mode.
## Next step
|||
|:-------|:-----|
|![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them

3
windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
View File

@ -29,6 +29,9 @@ ms.topic: article
Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga]
## In this section
Topic | Description

177
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -27,155 +27,9 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
## Before you begin
Ensure that your machines:
- Are onboarded to Microsoft Defender Advanced Threat Protection
- Run with Windows 10 1709 (Fall Creators Update) or later
>[!NOTE]
>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
> Release | Security update KB number and link
> :---|:---
> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the machine page
- Are tagged or marked as co-managed
## Reduce your threat and vulnerability exposure
Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
- Likelihood of the device to get breached given its current security posture
- Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
- 029: low exposure score
- 3069: medium exposure score
- 70100: high exposure score
You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
To lower down your threat and vulnerability exposure:
1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.
There are two types of recommendations:
- *Security update* which refers to recommendations that require a package installation
- *Configuration change* which refers to recommendations that require a registry or GPO modification
Always prioritize recommendations that are associated with ongoing threats:
- ![Threat insight](images/tvm_bug_icon.png) Threat insight icon
- ![Possible active alert](images/tvm_alert_icon.png) Active alert icon
>![Top security recommendations](images/tvm_security_recommendations.png)
2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. ![Details in security recommendations page](images/tvm_security_recommendations_page.png)
3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png)
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Details in machine page](images/tvm_machine_page_details.png)
5. Allow a few hours for the changes to propagate in the system.
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
## Improve your security configuration
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as [Configuration score](configuration-score.md).
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls.
>![Configuration score widget](images/tvm_config_score.png)
2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
![Security controls related security recommendations](images/tvm_security_controls.png)
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
>![Request remediation](images/tvm_request_remediation.png).
You will see a confirmation message that the remediation task has been created.
>![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
4. Save your CSV file.
![Save csv file](images/tvm_save_csv_file.png)
5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
## Request a remediation
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow.
Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
1. Click a security recommendation you would like to request remediation for, and then click **Remediation options**.
2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
4. Go to the **Remediation** page to view the status of your remediation request.
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
## File for exception
With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
Exceptions can be created for both *Security update* and *Configuration change* recommendations.
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
3. Click **Exception options**.
![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png)
4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png)
5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png)
6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png)
## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
1. Go to **Advanced hunting** from the left-hand navigation pane.
1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.
2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
@ -196,22 +50,22 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
```
## Conduct an inventory of software or software versions which have reached end-of-support (EOS)
## Find and remediate software or software versions which have reached end-of-support (EOS)
End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
To conduct an inventory of software or software versions which have reached end-of-support:
To find software or software versions which have reached end-of-support:
1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options to see the list of software recommendations associated with software which have reached end of support (tagged as **EOS software**).
3. Select **Software update** from **Remediation Type** options to see the list of software recommendations associated with software and software versions which have reached end-of-support (tagged as **EOS versions installed**).
4. Select software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
![Screenshot of Security recommendation for a software that reached its end of life page](images/secrec_flyout.png)
2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
5. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-support, and how many vulnerabilities were discovered in it.
![Screenshot of software details for a software that reached its end of support](images/secrec_sw_details.png)
![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png)
3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png)
After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
@ -228,10 +82,9 @@ After you have identified which software and software versions are vulnerable du
- [Weaknesses](tvm-weaknesses.md)
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)

11
windows/security/threat-protection/microsoft-defender-atp/time-settings.md
View File

@ -72,11 +72,12 @@ IE and Microsoft Edge use the **Region** settings configured in the **Clocks, La
#### Known issues with regional formats
**Date and time formats**<br>
There are some known issues with the time and date formats.
There are some known issues with the time and date formats. If you configure your regional settings to anything other than the supported formats, the portal may not correctly reflect your settings.
The following date formats are supported:
- MM/dd/yyyy
- dd/MM/yyyy
The following date and time formats are supported:
- Date format MM/dd/yyyy
- Date format dd/MM/yyyy
- Time format hh:mm:ss (12 hour format)
The following date and time formats are currently not supported:
- Date format yyyy-MM-dd
@ -84,7 +85,7 @@ The following date and time formats are currently not supported:
- Date format dd/MM/yy
- Date format MM/dd/yy
- Date format with yy. Will only show yyyy.
- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
- Time format HH:mm:ss (24 hour format)
**Decimal symbol used in numbers**<br>
Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.

73
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -1,6 +1,6 @@
---
title: What's in the dashboard and what it means for my organization's security posture
description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their org's security resilience.
title: Threat & Vulnerability Management dashboard overview
description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience.
keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
search.appverid: met150
search.product: eADQiWindows 10XVcnh
@ -8,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -19,59 +19,72 @@ ms.topic: conceptual
# Threat & Vulnerability Management dashboard overview
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
- Correlate EDR insights with endpoint vulnerabilities and process them
- Correlate EDR insights with endpoint vulnerabilities and process them
- Select remediation options, triage and track the remediation tasks
- Select exception options and track active exceptions
> [!NOTE]
> Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score.
Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv]
## Threat & Vulnerability Management in Microsoft Defender Security Center
When you open the portal, youll see the main areas of the capability:
![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png)
![Threat & Vulnerability Management menu](images/tvm-menu.png)
When you open the portal, you'll see the main areas of the capability:
- (1) Menu in the navigation pane
- (2) Threat & Vulnerability Management icon
- (1) Menu to open the navigation pane
- (2) Threat & Vulnerability Management navigation pane
- (3) Threat & Vulnerability Management dashboard
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png)
![Threat & Vulnerability Management menu](images/tvm-menu.png)
You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section.
## Threat & Vulnerability Management navigation pane
Area | Description
:---|:---
(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
**Security recommendations** | See the list of security recommendations, their related components, whether software or software versions in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
**Software inventory** | See the list of software, versions, weaknesses, whether theres an exploit found on the software, whether the software or software version has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only.
**Organization Exposure score** | See the current state of your organizations device exposure to threats and vulnerabilities. Several factors affect your organizations exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. See [Exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) for more information.
**Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organizations risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached its end-of-life, or if the vulnerable version requires security updates and needs to be updated to the latest one). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your networks devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates.
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
## Threat & Vulnerability Management dashboard
Area | Description
:---|:---
**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages.
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
[**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page.
**Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Useful icons also quickly calls your attention to <ul><li> ![Possible active alert](images/tvm_alert_icon.png) possible active alerts</li><li>![Threat insight](images/tvm_bug_icon.png) associated public exploits</li><li>![Recommendation insight](images/tvm_insight_icon.png) recommendation insights</li></ul><br>Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached end-of-support, or if a vulnerable version requires updating). You can drill down on the security recommendation to see potential risks, list of exposed machines, and insights. You can then request a remediation for the recommendation. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
**Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine.
See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Exposure score](tvm-exposure-score.md)

74
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -1,43 +1,78 @@
---
title: Exposure score
description: The Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) exposure score reflects how vulnerable your organization is to cybersecurity threats.
keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
description: The Microsoft Defender ATP exposure score reflects how vulnerable your organization is to cybersecurity threats.
keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/30/2019
---
# Exposure score
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
![Exposure score widget](images/tvm_exp_score.png)
![Exposure score card](images/tvm_exp_score.png)
## How it works
Several factors affect your organization exposure score:
- Weakness discovered on the device
- Likelihood of a device getting breached
- Value of the device to the organization
- Relevant alert discovered on the device
Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
- Likelihood of the device to get breached given its current security posture
- Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
- 029: low exposure score
- 3069: medium exposure score
- 70100: high exposure score
You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
## Reduce your threat and vulnerability exposure
To lower your threat and vulnerability exposure, follow these steps.
1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) , and select the first item on the list. The **Security recommendation** page opens.
Always prioritize recommendations that are associated with ongoing threats:
- ![Threat insight](images/tvm_bug_icon.png) Threat insight icon
- ![Possible active alert](images/tvm_alert_icon.png) Active alert icon
![Screenshot of security recommendations page](images/top-security-recommendations350.png)
2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. ![Details in security recommendations page](images/tvm_security_recommendations_page.png)
3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png)
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Details in machine page](images/tvm_machine_page_details.png)
5. Allow a few hours for the changes to propagate in the system.
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
@ -47,8 +82,9 @@ Reduce the exposure score by addressing what needs to be remediated based on the
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)

144
windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
View File

@ -8,121 +8,131 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
---
# Remediation and exception
# Remediation activities and exceptions
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
## Navigate through your remediation options
You can access the remediation page in a few places in the portal:
- Security recommendation flyout panel
- Remediation in the navigation menu
- Top remediation activities widget in the dashboard
## Remediation
*Security recommendation flyout page*
<br>You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
## How remediation requests work
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
The dashboard will show the status of your top remediation activities. Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
## Accessing the Remediation page
You can access the Remediation page in a few places in the portal:
- Security recommendations flyout panel
- Navigation menu
- Top remediation activities in the dashboard
### Security recommendation flyout page
You'll see remediation options when you select one of the security recommendations in the [Security recommendations page](tvm-security-recommendation.md).
1. From the flyout panel, you'll see the security recommendation details including next steps. Select **Remediation options**.
2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
3. Select a remediation due date.
4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
3. Select a remediation due date.
4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
*Remediation in the navigation menu*
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Software update** from the **Remediation type** filter. Select **In progress** then click **Apply**.
### Navigation menu
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
To see software which has reached end-of-support, select **Software uninstall** from the **Remediation type** filter. For specific software versions which have reached end-of-support, select **Software update** from the **Remediation type** filter. Select **In progress** then **Apply**.
![Screenshot of the remediation page filters for software update and uninstall](images/remediation_swupdatefilter.png)
2. Select the remediation activity that you need to see or process.
![Screenshot of the remediation page flyout for a software which reached its end-of-life](images/remediation_flyouteolsw.png)
2. Select the remediation activity that you want to view.
![Screenshot of the remediation page flyout for a software which reached end-of-support](images/remediation_flyouteolsw.png)
*Top remediation activities widget in the dashboard*
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** widget. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.
2. Select the remediation activity that you need to see or process.
### Top remediation activities card the dashboard
## How it works
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** card. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.
2. Select the remediation activity that you want to view.
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
## Exception options
The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md).
## When to file for exception instead of remediating issues
You can file exceptions to exclude certain recommendation from showing up in reports and affecting your configuration score.
When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**.
Select **Exception options** and a flyout screen opens.
When you select a [security recommendation](tvm-security-recommendation.md), it opens a flyout screen with details and options for your next steps. Select **Exception options** to fill out the justification and context.
![Screenshot of exception flyout screen](images/tvm-exception-flyout.png)
### Exception justification
If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options:
- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus
- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
- **Other** - False positive
![Screenshot of exception reason dropdown menu](images/tvm-exception-dropdown.png)
- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus
- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
- **Other** - False positive
### Exception visibility
The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab.
However, you also have the option to filter your view based on exception justification, type, and status.
![Screenshot of exception reason dropdown menu](images/tvm-exception-dropdown.png)
### Where to find exceptions
The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status.
![Screenshot of exception tab and filters](images/tvm-exception-filters.png)
Aside from that, there's also an option to **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard.
You can also select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. Selecting the link opens a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard](images/tvm-exception-dashboard.png)
Clicking the link opens up to the **Security recommendations** page, where you can select the item exempted item with details.
### Exception actions and statuses
![Screenshot of exception details in the Security recommendation page](images/tvm-exception-details.png)
You can take the following actions on an exception:
### Actions on exceptions
- Cancel - You can cancel the exceptions you've filed any time
- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
- Cancel - You can cancel the exceptions you've filed any time
- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
### Exception status
- **Canceled** - The exception has been canceled and is no longer in effect
- **Expired** - The exception that you've filed is no longer in effect
- **In effect** - The exception that you've filed is in progress
The following statuses will be a part of an exception:
- **Canceled** - The exception has been canceled and is no longer in effect
- **Expired** - The exception that you've filed is no longer in effect
- **In effect** - The exception that you've filed is in progress
### Exception impact on scores
Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Configuration Score (for configurations) of your organization in the following manner:
- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made
- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made
The exception impact shows on both the Security recommendations page column and in the flyout pane.
![Screenshot of where to find the exception impact](images/tvm-exception-impact.png)
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
@ -132,11 +142,9 @@ The exception impact shows on both the Security recommendations page column and
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)

Some files were not shown because too many files have changed in this diff Show More