deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

Browse Source
This commit is contained in:
officedocspr 2020-01-28 00:14:53 +00:00
commit 522b385ceb
41 changed files with 2104 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.openpublishing.redirection.json
View File

@ -58,7 +58,7 @@
{
"source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md",
"redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates",
"redirect_document_id": true
"redirect_document_id": false
},
{
"source_path": "devices/surface/update.md",
@ -15577,6 +15577,11 @@
"redirect_document_id": false
},
{
"source_path": "devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md",
"redirect_url": "/surface/manage-surface-driver-and-firmware-updates",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/planning/windows-10-1809-removed-features.md",
"redirect_url": "https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features",
"redirect_document_id": false

5
devices/surface/TOC.md
View File

@ -28,7 +28,7 @@
### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md)
### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md)
### [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
@ -40,13 +40,14 @@
## Manage
### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
### [Optimize Wi-Fi connectivity for Surface devices](surface-wireless-connect.md)
### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
### [Surface Dock Firmware Update](surface-dock-firmware-update.md)
### [Battery Limit setting](battery-limit.md)
### [Surface Brightness Control](microsoft-surface-brightness-control.md)
### [Surface Asset Tag](assettag.md)
### [Manage Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
## Secure
### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md)

18
devices/surface/change-history-for-surface.md
View File

@ -18,6 +18,12 @@ ms.date: 10/21/2019
This topic lists new and updated topics in the Surface documentation library.
## January 2020
| **New or changed topic** | **Description** |
| ------------------------ | --------------- |
| [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)| Updated with the latest information and links to related articles.|
## October 2019
| **New or changed topic** | **Description** |
@ -37,7 +43,7 @@ This topic lists new and updated topics in the Surface documentation library.
| **New or changed topic** | **Description** |
| ------------------------ | --------------- |
| [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md) | New document highlights key wireless connectivity considerations for Surface devices in mobile scenarios. |
| [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. |
| [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. |
## July 2019
@ -76,14 +82,14 @@ New or changed topic | Description
--- | ---
[Surface Brightness Control](microsoft-surface-brightness-control.md) | New
[Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) | New
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Studio 2 |
|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Studio 2 |
## November 2018
New or changed topic | Description
--- | ---
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 |
|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Pro 6 |
[Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New
[Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New
[Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New
@ -93,7 +99,7 @@ New or changed topic | Description
New or changed topic | Description
--- | ---
[Battery Limit setting](battery-limit.md) | New
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface GO |
|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface GO |
## May 2018
@ -121,7 +127,7 @@ New or changed topic | Description
|New or changed topic | Description |
| --- | --- |
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Book 2, Surface Laptop, Surface Pro, and Surface Pro with LTE Advanced information |
|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Book 2, Surface Laptop, Surface Pro, and Surface Pro with LTE Advanced information |
## October 2017
@ -160,7 +166,7 @@ New or changed topic | Description
|New or changed topic | Description |
| --- | --- |
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
## November 2016

105
devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
View File

@ -1,105 +0,0 @@
---
title: Deploy the latest firmware and drivers for Surface devices (Surface)
description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
ms.reviewer: dansimp
manager: kaushika
keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: dansimp
ms.audience: itpro
ms.date: 11/25/2019
ms.author: dansimp
ms.topic: article
---
# Deploy the latest firmware and drivers for Surface devices
> **Home users:** This article is only intended for technical support agents and IT professionals, and applies only to Surface devices. If you're looking for help to install Surface updates or firmware on a home device, please see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505).
Under typical conditions, Windows Update automatically keeps Windows Surface devices up-to-date by downloading and installing the latest device drivers and firmware. However, you may sometimes have to download and install updates manually. For example, you may have to manually manage updates when you deploy a new version of Windows.
## Downloading MSI files
[Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface) provides links to download installation files for the following:
- Administrative tools
- Drivers for accessories
- For some devices, updates for Windows
## Deploying MSI files
Specific versions of Windows 10 have separate MSI files. Each MSI file contains all required cumulative driver and firmware updates for Surface devices.
The MSI file names contain useful information, including the minimum supported Windows build number that is required to install the drivers and firmware. For example, to install the drivers that are contained in SurfaceBook_Win10_17763_19.080.2031.0.msi on a Surface Book, the device must be running Windows 10 Fall Creators Update, version 1709 or later.
For more information about build numbers for each Windows version, see [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
### Surface MSI naming convention
Beginning in August, 2019, MSI files have used the following naming convention:
> *Product*\_*Windows release*\_*Windows build number*\_*Version number*\_*Revision of version number (typically zero)*.
**Example**
Consider the following MSI file:
> SurfacePro6_Win10_18362_19.073.44195_0.msi
This file name provides the following information:
- **Product:** SurfacePro6
- **Windows release:** Win10
- **Build:** 18362
- **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows:
- **Year:** 19 (2019)
- **Month and week:** 073 (third week of July)
- **Minute of the month:** 44195
- **Revision of version:** 0 (first release of this version)
### Legacy Surface MSI naming convention
Legacy MSI files (files that were built before August, 2019) followed the same overall naming formula, but used a different method to derive the version number.
**Example**
Consider the following MSI file:
> SurfacePro6_Win10_16299_1900307_0.msi
This file name provides the following information:
- **Product:** SurfacePro6
- **Windows release:** Win10
- **Build:** 16299
- **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows:
- **Year:** 19 (2019)
- **Number of release:** 003 (third release of the year)
- **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro)
- **Revision of version:** 0 (first release of this version)
Use the **version** number to determine the latest files that contain the most recent security updates. For example, consider the following list:
- SurfacePro6_Win10_16299_1900307_0.msi
- SurfacePro6_Win10_17134_1808507_3.msi
- SurfacePro6_Win10_17763_1808707_3.msi
In this list, the newest file is the first file (SurfacePro6_Win10_16299_1900307_0.msi). Its **Version** field has the newest date (2019). The other files are from 2018.
## Supported devices
For downloadable MSI files for devices that run Surface Pro 2 and later versions, see [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). This article contains information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3, as they are released.
> [!NOTE]
> There are no downloadable firmware or driver updates available for Surface devices that run Windows RT, including Surface RT and Surface 2. To update these devices, use Windows Update.
For more information about how to deploy Surface drivers and firmware, see the following articles:
- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
- [Surface for Business help](https://www.microsoft.com/surface/support/business)

3
devices/surface/get-started.md
View File

@ -46,9 +46,10 @@ Harness the power of Surface, Windows, and Office connected together through the
</div>
<div class="cardText">
<h3>Deploy</h3>
<p><a href="manage-surface-driver-and-firmware-updates.md">Manage and deploy Surface driver and firmware updates</a></p>
<p><a href="windows-autopilot-and-surface-devices.md">Autopilot and Surface devices</a></p>
<p><a href="surface-pro-arm-app-management.md">Deploying, managing, and servicing Surface Pro X</a></p>
<p><a href="deploy-the-latest-firmware-and-drivers-for-surface-devices.md">Deploy the latest firmware and drivers</a></p>
</div>
</div>
</div>

10
devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
View File

@ -28,12 +28,12 @@ low power idle state (S0ix).
To ensure Surface devices across your organization fully benefit from Surface power optimization features:
- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md).
- Avoid creating custom power profiles or adjusting advanced power settings not visible in the default UI (**System** > **Power & sleep**).
- If you must manage the power profile of devices across your network (such as in highly managed organizations), use the powercfg command tool to export the power plan from the factory image of the Surface device and then import it into the provisioning package for your Surface devices.
>[!NOTE]
>You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
>[!NOTE]
>You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
- Exclude Surface devices from any existing power management policy settings.
@ -166,7 +166,7 @@ To learn more, see:
| Check app usage | Your apps | Close apps.|
| Check your power cord for any damage.| Your power cord | Replace power cord if worn or damaged.|
# Learn more
## Learn more
- [Modern
standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources)
@ -178,4 +178,4 @@ To learn more, see:
- [Battery
saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver)
- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
- [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)

2
devices/surface/microsoft-surface-deployment-accelerator.md
View File

@ -80,7 +80,7 @@ For environments where the SDA server will not be able to connect to the Interne
*Figure 2. Specify a local source for Surface driver and app files*
You can find a full list of available driver downloads at [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
You can find a full list of available driver downloads at [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
>[!NOTE]
>Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder.

2
devices/surface/surface-pro-arm-app-management.md
View File

@ -73,7 +73,7 @@ Surface Pro X was designed to use Windows Update to simplify the process of keep
- Use Windows Update or Windows Update for Business for maintaining the latest drivers and firmware. For more information, see [Deploy Updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
- If your procedures require using a Windows Installer .msi file, contact [Surface for Business support](https://support.microsoft.com/help/4037645).
- For more information about deploying and managing updates on Surface devices, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
- For more information about deploying and managing updates on Surface devices, see [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md).
- Note that Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X.
## Running apps on Surface Pro X

81
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,11 +1,13 @@
---
title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
keywords: whitelisting, security, malware
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: ManikaDhiman
ms.reviewer: jsuther1974
ms.date: 05/21/2019
---
@ -61,7 +63,8 @@ This node specifies whether a policy is actually loaded by the enforcement engin
Scope is dynamic. Supported operation is Get.
Value type is bool. Supported values are as follows:
Value type is bool. Supported values are as follows:
- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system.
- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default.
@ -70,7 +73,8 @@ This node specifies whether a policy is deployed on the system and is present on
Scope is dynamic. Supported operation is Get.
Value type is bool. Supported values are as follows:
Value type is bool. Supported values are as follows:
- True — Indicates that the policy is deployed on the system and is present on the physical machine.
- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default.
@ -79,7 +83,8 @@ This node specifies whether the policy is authorized to be loaded by the enforce
Scope is dynamic. Supported operation is Get.
Value type is bool. Supported values are as follows:
Value type is bool. Supported values are as follows:
- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default.
@ -112,24 +117,43 @@ Scope is dynamic. Supported operation is Get.
Value type is char.
## Usage guidance
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
To use ApplicationControl CSP, you must:
- Know a generated policys GUID, which can be found in the policy xml as `<PolicyTypeID>`.
- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy via uploading the binary file.
## Non-Intune Usage Guidance
In order to leverage the ApplicationControl CSP without using Intune, you must:
1. Know a generated policys GUID, which can be found in the policy xml as <PolicyID> or <PolicyTypeID> for pre-1903 systems.
2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool.
Below is a sample certutil invocation:
```cmd
certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
```
An alternative to using certutil would be to use the following PowerShell invocation:
```powershell
[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
```
### Deploy Policies
### Deploy policies
To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below.
To deploy base policy and supplemental policies:
- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
- Repeat for each base or supplemental policy (with its own GUID and data).
1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
2. Repeat for each base or supplemental policy (with its own GUID and data).
The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
**Example 1: Add first base policy**
#### Example 1: Add first base policy
```xml
<Add>
<CmdID>1</CmdID>
@ -144,7 +168,9 @@ The following example shows the deployment of two base policies and a supplement
</Item>
</Add>
```
**Example 2: Add second base policy**
#### Example 2: Add second base policy
```xml
<Add>
<CmdID>1</CmdID>
@ -159,7 +185,9 @@ The following example shows the deployment of two base policies and a supplement
</Item>
</Add>
```
**Example 3: Add supplemental policy**
#### Example 3: Add supplemental policy
```xml
<Add>
<CmdID>1</CmdID>
@ -174,6 +202,7 @@ The following example shows the deployment of two base policies and a supplement
</Item>
</Add>
```
### Get policies
Perform a GET using a deployed policys GUID to interrogate/inspect the policy itself or information about it.
@ -190,7 +219,8 @@ The following table displays the result of Get operation on different nodes:
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful|
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy|
The following is an example of Get command:
The following is an example of Get command:
```xml
<Get>
<CmdID>1</CmdID>
@ -203,17 +233,28 @@ The following is an example of Get command:
```
### Delete policies
#### Rebootless Deletion
Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
#### Unsigned Policies
To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**.
> [!Note]
> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
#### Signed Policies
> [!NOTE]
> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
To delete a signed policy:
1. Replace it with a signed update allowing unsigned policy.
2. Deploy another update with unsigned policy.
2. Deploy another update with unsigned Allow All policy.
3. Perform delete.
The following is an example of Delete command:
```xml
<Delete>
<CmdID>1</CmdID>

40
windows/security/threat-protection/TOC.md
View File

@ -403,6 +403,9 @@
####### [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
####### [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
####### [Get security recommendation](microsoft-defender-atp/get-security-recommendations.md)
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
@ -453,6 +456,34 @@
####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
###### [Score]()
####### [Score methods and properties](microsoft-defender-atp/score.md)
####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
###### [Software]()
####### [Software methods and properties](microsoft-defender-atp/software.md)
####### [List software](microsoft-defender-atp/get-software.md)
####### [Get software by Id](microsoft-defender-atp/get-software-by-id.md)
####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md)
####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md)
####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md)
###### [Vulnerability]()
####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
####### [Get all vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
###### [Recommendation]()
####### [Recommendation methods and properties](microsoft-defender-atp/recommendation.md)
####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md)
####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md)
####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md)
####### [Get recommendation by machines](microsoft-defender-atp/get-recommendation-machines.md)
####### [Get recommendation by vulnerabilities](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
##### [How to use APIs - Samples]()
###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
###### [Power BI](microsoft-defender-atp/api-power-bi.md)
@ -460,11 +491,18 @@
###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
#### [Windows updates (KB) info]()
##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
#### [Common Vulnerabilities and Exposures (CVE) to KB map]()
##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
#### [Pull detections to your SIEM tools]()
#### [Raw data streaming API]()
##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
#### [SIEM integration]()
##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)

4
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
View File

@ -57,6 +57,10 @@ Machines | Run API calls such as get machines, get machines by ID, information a
Machine Actions | Run API call such as Isolation, Run anti-virus scan and more.
Indicators | Run API call such as create Indicator, get Indicators and delete Indicators.
Users | Run API calls such as get user related alerts and user related machines.
Score | Run API calls such as get exposure score or get device secure score.
Software | Run API calls such as list vulnerabilities by software.
Vulnerability | Run API calls such as list machines by vulnerability.
Recommendation | Run API calls such as Get recommendation by Id.
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)

104
windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md Normal file
View File

@ -0,0 +1,104 @@
---
title: List all recommendations
description: Retrieves a list of all security recommendations affecting the organization.
keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# List all recommendations
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of all security recommendations affecting the organization.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
```
GET /api/recommendations
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the list of security recommendations in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/recommendations
```
**Response**
Here is an example of the response.
```
Content-type: json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
"value": [
{
"id": "va-_-microsoft-_-windows_10",
"productName": "windows_10",
"recommendationName": "Update Windows 10",
"weaknesses": 397,
"vendor": "microsoft",
"recommendedVersion": "",
"recommendationCategory": "Application",
"subCategory": "",
"severityScore": 0,
"publicExploit": true,
"activeAlert": false,
"associatedThreats": [
"3098b8ef-23b1-46b3-aed4-499e1928f9ed",
"40c189d5-0330-4654-a816-e48c2b7f9c4b",
"4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
"e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
"94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
],
"remediationType": "Update",
"status": "Active",
"configScoreImpact": 0,
"exposureImpact": 7.674418604651163,
"totalMachineCount": 37,
"exposedMachinesCount": 7,
"nonProductivityImpactedAssets": 0,
"relatedComponent": "Windows 10"
},
}
```

92
windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md Normal file
View File

@ -0,0 +1,92 @@
---
title: Get all vulnerabilities
description: Retrieves a list of all the vulnerabilities affecting the organization
keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get all vulnerabilities
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of all the vulnerabilities affecting the organization.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
## HTTP request
```
GET /api/vulnerabilities
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the list of vulnerabilities in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/Vulnerabilities
```
**Response**
Here is an example of the response.
```
Content-type: json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
"value": [
{
"id": "CVE-2019-0608",
"name": "CVE-2019-0608",
"description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
"severity": "Medium",
"cvssV3": 4.3,
"exposedMachines": 4,
"publishedOn": "2019-10-08T00:00:00Z",
"updatedOn": "2019-12-16T16:20:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
},
{
..
}
```

84
windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Get Device Secure score
description: Retrieves the organizational device secure score.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get Device Secure score
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves the organizational device secure score.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---
Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
## HTTP request
```
GET /api/configurationScore
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK, with the with device secure score data in the response body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/configurationScore
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response list shown here may be truncated for brevity.
```json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
"time": "2019-12-03T09:15:58.1665846Z",
"score": 340,
"rbacGroupId": null
}
```
## Related topics
- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)

89
windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Get discovered vulnerabilities
description: Retrieves a collection of discovered vulnerabilities related to a given machine ID.
keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get discovered vulnerabilities
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a collection of discovered vulnerabilities related to a given machine ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
## HTTP request
```
GET /api/machines/{machineId}/vulnerabilities
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the discovered vulnerability information in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
```
**Response**
Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
"value": [
{
"id": "CVE-2019-1348",
"name": "CVE-2019-1348",
"description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
"severity": "Medium",
"cvssV3": 4.3,
"exposedMachines": 1,
"publishedOn": "2019-12-13T00:00:00Z",
"updatedOn": "2019-12-13T00:00:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
}
}
```

86
windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md Normal file
View File

@ -0,0 +1,86 @@
---
title: Get exposure score
description: Retrieves the organizational exposure score.
keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get exposure score
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves the organizational exposure score.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
## HTTP request
```
GET /api/exposureScore
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK, with the exposure data in the response body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/exposureScore
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response list shown here may be truncated for brevity.
```json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
"time": "2019-12-03T07:23:53.280499Z",
"score": 33.491554051195706,
"rbacGroupId": null
}
```
## Related topics
- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)

85
windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Get installed software
description: Retrieves a collection of installed software related to a given machine ID.
keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per machine, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get installed software
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a collection of installed software related to a given machine ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
## HTTP request
```
GET /api/machines/{machineId}/software
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the installed software information in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
```
**Response**
Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
"value": [
{
"id": "microsoft-_-internet_explorer",
"name": "internet_explorer",
"vendor": "microsoft",
"weaknesses": 67,
"publicExploit": true,
"activeAlert": false,
"exposedMachines": 42115,
"impactScore": 46.2037163
}
]
}
```

96
windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md Normal file
View File

@ -0,0 +1,96 @@
---
title: List exposure score by machine group
description: Retrieves a list of exposure scores by machine group.
keywords: apis, graph api, supported apis, get, exposure score, machine group, machine group exposure score
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# List exposure score by machine group
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a collection of alerts related to a given domain address.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
## HTTP request
```
GET /api/exposureScore/ByMachineGroups
```
## Request headers
| Name | Type | Description
|:--------------|:-------|:--------------|
| Authorization | String | Bearer {token}.**Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK, with a list of exposure score per machine group data in the response body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
```
**Response**
Here is an example of the response.
```json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
"value": [
{
"time": "2019-12-03T09:51:28.214338Z",
"score": 41.38041766305988,
"rbacGroupId": 10
},
{
"time": "2019-12-03T09:51:28.2143399Z",
"score": 37.403726933165366,
"rbacGroupId": 11
},
{
"time": "2019-12-03T09:51:28.2143407Z",
"score": 26.390921344426033,
"rbacGroupId": 9
},
{
"time": "2019-12-03T09:51:28.2143414Z",
"score": 23.58823563070858,
"rbacGroupId": 5
}
]
}
```

89
windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md Normal file
View File

@ -0,0 +1,89 @@
---
title: List machines by software
description: Retrieve a list of machines that has this software installed.
keywords: apis, graph api, supported apis, get, list machines, machines list, list machines by software, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# List machines by software
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieve a list of machines that has this software installed
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
## HTTP request
```
GET /api/Software/{Id}/machineReferences
```
## Request headers
| Name | Type | Description
|:--------------|:-------|:--------------|
| Authorization | String | Bearer {token}.**Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK and a list of machines with the software installed in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
```
**Response**
Here is an example of the response.
```json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
"value": [
{
"id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
"computerDnsName": "dave_desktop",
"osPlatform": "Windows10",
"rbacGroupId": 9
},
{
"id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
"computerDnsName": "jane_PC",
"osPlatform": "Windows10",
"rbacGroupId": 9
},
}
```

88
windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md Normal file
View File

@ -0,0 +1,88 @@
---
title: List machines by vulnerability
description: Retrieves a list of machines affected by a vulnerability.
keywords: apis, graph api, supported apis, get, machines list, vulnerable machines, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# List machines by vulnerability
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of machines affected by a vulnerability.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
## HTTP request
```
GET /api/vulnerabilities/{cveId}/machineReferences
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the vulnerability information in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
```
**Response**
Here is an example of the response.
```
Content-type: json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
"value": [
{
"id": "235a2e6278c63fcf85bab9c370396972c58843de",
"computerDnsName": "h1mkn_PC",
"osPlatform": "Windows10",
"rbacGroupId": 1268
},
{
"id": "afb3f807d1a185ac66668f493af028385bfca184",
"computerDnsName": "chat_Desk ",
"osPlatform": "Windows10",
"rbacGroupId": 410
}
]
}
```

93
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md Normal file
View File

@ -0,0 +1,93 @@
---
title: Get recommendation by Id
description: Retrieves a security recommendation by its ID.
keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get recommendation by ID
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a security recommendation by its ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
```
GET /api/recommendations/{id}
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the security recommendations in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
```
**Response**
Here is an example of the response.
```
Content-type: json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
"id": "va-_-google-_-chrome",
"productName": "chrome",
"recommendationName": "Update Chrome",
"weaknesses": 38,
"vendor": "google",
"recommendedVersion": "",
"recommendationCategory": "Application",
"subCategory": "",
"severityScore": 0,
"publicExploit": false,
"activeAlert": false,
"associatedThreats": [],
"remediationType": "Update",
"status": "Active",
"configScoreImpact": 0,
"exposureImpact": 3.9441860465116285,
"totalMachineCount": 6,
"exposedMachinesCount": 5,
"nonProductivityImpactedAssets": 0,
"relatedComponent": "Chrome"
}
```

81
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md Normal file
View File

@ -0,0 +1,81 @@
---
title: Get recommendation by machines
description: Retrieves a list of machines associated with the security recommendation.
keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get recommendation by machines
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of machines associated with the security recommendation.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
```
GET /api/recommendations/{id}/machineReferences
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the list of machines associated with the security recommendation.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
```
**Response**
Here is an example of the response.
```
Content-type: json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
"value": [
{
"id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
"computerDnsName": "niw_pc",
"osPlatform": "Windows10",
"rbacGroupId": 2154
},
}
```

81
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md Normal file
View File

@ -0,0 +1,81 @@
---
title: Get recommendation by software
description: Retrieves a security recommendation related to a specific software.
keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get recommendation by software
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a security recommendation related to a specific software.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
```
GET /api/recommendations/{id}/software
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
```
**Response**
Here is an example of the response.
```
Content-type: json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
"id": "google-_-chrome",
"name": "chrome",
"vendor": "google",
"weaknesses": 38,
"publicExploit": false,
"activeAlert": false,
"exposedMachines": 5,
"impactScore": 3.94418621
}
```

90
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md Normal file
View File

@ -0,0 +1,90 @@
---
title: Get recommendation by vulnerabilities
description: Retrieves a list of vulnerabilities associated with the security recommendation.
keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get recommendation by vulnerabilities
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of vulnerabilities associated with the security recommendation.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
```
GET /api/recommendations/{id}/vulnerabilities
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
```
**Response**
Here is an example of the response.
```
Content-type: json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
"value": [
{
"id": "CVE-2019-13748",
"name": "CVE-2019-13748",
"description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
"severity": "Medium",
"cvssV3": 6.5,
"exposedMachines": 0,
"publishedOn": "2019-12-10T00:00:00Z",
"updatedOn": "2019-12-16T12:15:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
},
}
```

97
windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Get security recommendations
description: Retrieves a collection of security recommendations related to a given machine ID.
keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per machine, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get security recommendations
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a collection of security recommendations related to a given machine ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
```
GET /api/machines/{machineId}/recommendations
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the security recommendations in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
```
**Response**
Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
"value": [
{
"id": "va-_-git-scm-_-git",
"productName": "git",
"recommendationName": "Update Git to version 2.24.1.2",
"weaknesses": 3,
"vendor": "git-scm",
"recommendedVersion": "2.24.1.2",
"recommendationCategory": "Application",
"subCategory": "",
"severityScore": 0,
"publicExploit": false,
"activeAlert": false,
"associatedThreats": [],
"remediationType": "Update",
"status": "Active",
"configScoreImpact": 0,
"exposureImpact": 0,
"totalMachineCount": 0,
"exposedMachinesCount": 1,
"nonProductivityImpactedAssets": 0,
"relatedComponent": "Git"
},
}
```

83
windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Get software by Id
description: Retrieves a list of exposure scores by machine group.
keywords: apis, graph api, supported apis, get, software, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get software by Id
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves software details by ID
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
## HTTP request
```
GET /api/Software/{Id}
```
## Request headers
| Name | Type | Description
|:--------------|:-------|:--------------|
| Authorization | String | Bearer {token}.**Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the specified software data in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
```
**Response**
Here is an example of the response.
```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
"id": "microsoft-_-edge",
"name": "edge",
"vendor": "microsoft",
"weaknesses": 467,
"publicExploit": true,
"activeAlert": false,
"exposedMachines": 172,
"impactScore": 2.39947438
}
```

86
windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md Normal file
View File

@ -0,0 +1,86 @@
---
title: List software version distribution
description: Retrieves a list of your organization's software version distribution
keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# List software version distribution
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of your organization's software version distribution
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
## HTTP request
```
GET /api/Software/{Id}/distributions
```
## Request headers
| Name | Type | Description
|:--------------|:-------|:--------------|
| Authorization | String | Bearer {token}.**Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with a list of software distributions data in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
```
**Response**
Here is an example of the response.
```json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
"value": [
{
"version": "11.0.17134.1039",
"installations": 1,
"vulnerabilities": 11
},
{
"version": "11.0.18363.535",
"installations": 750,
"vulnerabilities": 0
},
}

84
windows/security/threat-protection/microsoft-defender-atp/get-software.md Normal file
View File

@ -0,0 +1,84 @@
---
title: List software
description: Retrieves a list of software inventory
keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# List software inventory API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves the organization software inventory
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
## HTTP request
```
GET /api/Software
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the software inventory in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/Software
```
**Response**
Here is an example of the response.
```
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
"value": [
{
"id": "microsoft-_-edge",
"name": "edge",
"vendor": "microsoft",
"weaknesses": 467,
"publicExploit": true,
"activeAlert": false,
"exposedMachines": 172,
"impactScore": 2.39947438
},
….
}

93
windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md Normal file
View File

@ -0,0 +1,93 @@
---
title: List vulnerabilities by software
description: Retrieve a list of vulnerabilities in the installed software.
keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# List vulnerabilities by software
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieve a list of vulnerabilities in the installed software.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
## HTTP request
```
GET /api/Software/{Id}/vulnerabilities
```
## Request headers
| Name | Type | Description
|:--------------|:-------|:--------------|
| Authorization | String | Bearer {token}.**Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
```
**Response**
Here is an example of the response.
```json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
"value": [
{
"id": "CVE-2017-0140",
"name": "CVE-2017-0140",
"description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
"severity": "Medium",
"cvssV3": 4.2,
"exposedMachines": 1,
"publishedOn": "2017-03-14T00:00:00Z",
"updatedOn": "2019-10-03T00:03:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
},
}
```

86
windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md Normal file
View File

@ -0,0 +1,86 @@
---
title: Get vulnerability by Id
description: Retrieves vulnerability information by its ID.
keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get vulnerability by ID
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves vulnerability information by its ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
## HTTP request
```
GET /api/vulnerabilities/{cveId}
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the vulnerability information in the body.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
```
**Response**
Here is an example of the response.
```
Content-type: json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
"id": "CVE-2019-0608",
"name": "CVE-2019-0608",
"description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
"severity": "Medium",
"cvssV3": 4.3,
"exposedMachines": 4,
"publishedOn": "2019-10-08T00:00:00Z",
"updatedOn": "2019-12-16T16:20:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
}
```

31
windows/security/threat-protection/microsoft-defender-atp/machine.md
View File

@ -22,6 +22,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
Method|Return Type |Description
@ -30,6 +31,9 @@ Method|Return Type |Description
[Get machine](get-machine-by-id.md) | [machine](machine.md) | Get a [machine](machine.md) by its identity.
[Get logged on users](get-machine-log-on-users.md) | [user](user.md) collection | Get the set of [User](user.md) that logged on to the [machine](machine.md).
[Get related alerts](get-machine-related-alerts.md) | [alert](alerts.md) collection | Get the set of [alert](alerts.md) entities that were raised on the [machine](machine.md).
[Get installed software](get-installed-software.md) | [software](software.md) collection | Retrieves a collection of installed software related to a given machine ID.
[Get discovered vulnerabilities](get-discovered-vulnerabilities.md) | [vulnerability](vulnerability.md) collection | Retrieves a collection of discovered vulnerabilities related to a given machine ID.
[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
@ -52,29 +56,4 @@ riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. P
exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
## Json representation
```json
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```
exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.

2
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -43,6 +43,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information.
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.

59
windows/security/threat-protection/microsoft-defender-atp/recommendation.md Normal file
View File

@ -0,0 +1,59 @@
---
title: Recommendation methods and properties
description: Retrieves top recent alerts.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Recommendation resource type
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
Method |Return Type |Description
:---|:---|:---
[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
[Get recommendation machines](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of machines associated with the security recommendation
[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
## Properties
Property | Type | Description
:---|:---|:---
id | String | Recommendation ID
productName | String | Related software name
recommendationName | String | Recommendation name
Weaknesses | Long | Number of discovered vulnerabilities
Vendor | String | Related vendor name
recommendedVersion | String | Recommended version
recommendationCategory | String | Recommendation category. Possible values are: “Accounts”, “Application”, “Network”, “OS”, “SecurityStack
subCategory | String | Recommendation sub-category
severityScore | Double | Potential impact of the configuration to the organizations configuration score (1-10)
publicExploit | Boolean | Public exploit is available
activeAlert | Boolean | Active alert is associated with this recommendation
associatedThreats | String collection | Threat analytics report is associated with this recommendation
remediationType | String | Remediation type. Possible values are: “ConfigurationChange”,“Update”,“Upgrade”,”Uninstall”
Status | Enum | Recommendation exception status. Possible values are: “Active” and “Exception”
configScoreImpact | Double | Configuration score impact
exposureImpacte | Double | Exposure score impact
totalMachineCount | Long | Number of installed machines
exposedMachinesCount | Long | Number of installed machines that are exposed to vulnerabilities
nonProductivityImpactedAssets | Long | Number of machines which are not affected
relatedComponent | String | Related software component

77
windows/security/threat-protection/microsoft-defender-atp/score.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Score methods and properties
description: Retrieves your organization's exposure score, device secure score, and exposure score by machine group
keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by machine group
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Score resource type
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
Method |Return Type |Description
:---|:---|:---
[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
[List exposure score by machine group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by machine group.
## Properties
Property | Type | Description
:---|:---|:---
Score | Double | The current score.
Time | DateTime | The date and time in which the call for this API was made.
RbacGroupId | Nullable Int | RBAC Group ID.
### Response example for getting machine groups score:
```
GET https://api.securitycenter.windows.com/api/exposureScore/byMachineGroups
```
```json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
"value": [
{
"time": "2019-12-03T07:26:49.9376328Z",
"score": 41.38041766305988,
"rbacGroupId": 10
},
{
"time": "2019-12-03T07:26:49.9376375Z",
"score": 23.58823563070858,
"rbacGroupId": 5
},
{
"time": "2019-12-03T07:26:49.9376382Z",
"score": 37.403726933165366,
"rbacGroupId": 11
},
{
"time": "2019-12-03T07:26:49.9376388Z",
"score": 26.323200116475423,
"rbacGroupId": 9
}
]
}
```

47
windows/security/threat-protection/microsoft-defender-atp/software.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Software methods and properties
description: Retrieves top recent alerts.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Software resource type
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
Method |Return Type |Description
:---|:---|:---
[List software](get-software.md) | Software collection | List the organizational software inventory.
[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID.
[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
## Properties
Property | Type | Description
:---|:---|:---
id | String | Software ID
Name | String | Software name
Vendor | String | Software vendor name
Weaknesses | Long | Number of discovered vulnerabilities
publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
activeAlert | Boolean | Active alert is associated with this software
exposedMachines | Long | Number of exposed machines
impactScore | Double | Exposure score impact of this software

50
windows/security/threat-protection/microsoft-defender-atp/vulnerability.md Normal file
View File

@ -0,0 +1,50 @@
---
title: Vulnerability methods and properties
description: Retrieves vulnerability information
keywords: apis, graph api, supported apis, get, vulnerability
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Vulnerability resource type
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
Method |Return Type |Description
:---|:---|:---
[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
[List machines by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of machines that are associated with the vulnerability ID
## Properties
Property | Type | Description
:---|:---|:---
id | String | Vulnerability ID
Name | String | Vulnerability title
Description | String | Vulnerability description
Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
cvssV3 | Double | CVSS v3 score
exposedMachines | Long | Number of exposed machines
publishedOn | DateTime | Date when vulnerability was published
updatedOn | DateTime | Date when vulnerability was updated
publicExploit | Boolean | Public exploit exists
exploitVerified | Boolean | Exploit is verified to work
exploitInKit | Boolean | Exploit is part of an exploit kit
exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
exploitUris | String collection | Exploit source URLs

52
windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
View File

@ -18,29 +18,63 @@ ms.date: 05/17/2018
---
> [!NOTE]
> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
# Deploy Windows Defender Application Control policies by using Microsoft Intune
**Applies to:**
- Windows 10
- Windows Server 2016
- Windows 10
- Windows Server 2016
You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited.
You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can either configure an Endpoint Protection profile for WDAC, or create a custom profile with an OMA-URI setting. By using an Endpoint Protection profile, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps as defined by the Intelligent Security Graph.
In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
## Using Intune's Built-In Policies
1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.
2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.
![Configure profile](images/wdac-intune-create-profile-name.png)
4. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**:
3. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**:
- **Application control code integrity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run.
- **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps.
![Configure WDAC](images/wdac-intune-wdac-settings.png)
To add a custom profile with an OMA-URI see, [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/intune/configuration/custom-settings-windows-10).
![Configure built-in WDAC](images/wdac-intune-wdac-settings.png)
## Using a Custom OMA-URI Profile
### For 1903+ systems
The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are:
1. Know a generated policys GUID, which can be found in the policy xml as `<PolicyID>`
2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
5. Add a row, then give your policy a name and use the following settings:
- **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file
![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png)
> [!NOTE]
> Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
### For pre-1903 systems
The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
4. Add a row, then give your policy a name and use the following settings:
- **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file
> [!NOTE]
> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.

BIN
windows/security/threat-protection/windows-defender-application-control/images/policy-id.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB