mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-18 16:27:22 +00:00
Merged PR 8718: 6/1 PM Publish
This commit is contained in:
Huaping Yu (Beyondsoft Consulting Inc)
commit
557e647de3
@ -7,7 +7,7 @@ ms.localizationpriority: high
|
||||
ms.sitesec: library
|
||||
author: lizap
|
||||
ms.author: elizapo
|
||||
ms.date: 05/03/2018
|
||||
ms.date: 06/01/2018
|
||||
---
|
||||
# Features removed or planned for replacement starting with Windows 10, version 1803
|
||||
|
||||
@ -32,7 +32,6 @@ We've removed the following features and functionalities from the installed prod
|
||||
|Language control in the Control Panel| Use the Settings app to change your language settings.|
|
||||
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.<br><br>When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.<br><br>Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: <br>- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) <br>- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) |
|
||||
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
|
||||
|**Conversations** in the People app when you're offline or if you're using a non-Office 365 mail account|In Windows 10, the People app shows mail from Office 365 contacts and contacts from your school or work organization under **Conversations**. After you update to Windows 10, version 1803, in order to see new mail in the People app from these specific contacts, you need to be online, and you need to have signed in with either an Office 365 account or, for work or school organization accounts, through the [Mail](https://support.microsoft.com/help/17198/windows-10-set-up-email), [People](https://support.microsoft.com/help/14103/windows-people-app-help), or [Calendar](https://support.office.com/article/Mail-and-Calendar-for-Windows-10-FAQ-4ebe0864-260f-4d3a-a607-7b9899a98edc) apps. Please be aware that you’ll only see mail for work and school organization accounts and some Office 365 accounts.|
|
||||
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
|
||||
|
||||
## Features we’re no longer developing
|
||||
|
||||
@ -26,9 +26,9 @@ Steps are provided in sections that follow the recommended setup process:
|
||||
|
||||
Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
|
||||
|
||||
**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
|
||||
**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
|
||||
|
||||
**If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health:
|
||||
**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe:
|
||||
|
||||
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
|
||||
[](images/uc-02.png)
|
||||
@ -50,11 +50,11 @@ Device Health is offered as a solution in the Microsoft Operations Management Su
|
||||
|
||||
[](images/uc-06.png)
|
||||
|
||||
6. To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
|
||||
6. To add Update Readiness to your workspace, go to the Solution Gallery, Select the **Update Readiness** tile and then select **Add** on the solution's detail page.
|
||||
|
||||
[](images/solution-bundle.png)
|
||||
|
||||
7. Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added.
|
||||
7. Click the **Update Readiness** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added.
|
||||
|
||||
[](images/OMS-after-adding-solution.jpg)
|
||||
|
||||
|
||||
@ -4,10 +4,10 @@ description: You can use Group Policy or your mobile device management (MDM) ser
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: DaniHalfin
|
||||
author: jaimeo
|
||||
ms.localizationpriority: high
|
||||
ms.author: daniha
|
||||
ms.date: 10/13/2017
|
||||
ms.author: jaimeo
|
||||
ms.date: 06/01/2018
|
||||
---
|
||||
|
||||
# Configure Windows Update for Business
|
||||
@ -21,14 +21,14 @@ ms.date: 10/13/2017
|
||||
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
|
||||
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products.
|
||||
>
|
||||
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
|
||||
|
||||
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).
|
||||
|
||||
>[!IMPORTANT]
|
||||
>For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
|
||||
>For Windows Update for Business policies to be honored, the diagnostic data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
|
||||
|
||||
Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).
|
||||
|
||||
@ -42,7 +42,7 @@ By grouping devices with similar deferral periods, administrators are able to cl
|
||||
<span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
|
||||
## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
|
||||
|
||||
With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
|
||||
With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
|
||||
|
||||
**Release branch policies**
|
||||
|
||||
@ -60,6 +60,9 @@ Starting with version 1703, users are able to configure their device's branch re
|
||||
>[!NOTE]
|
||||
>Users will not be able to change this setting if it was configured by policy.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
|
||||
|
||||
## Configure when devices receive Feature Updates
|
||||
|
||||
After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
|
||||
|
||||
@ -4,10 +4,10 @@ description: Windows Update for Business lets you manage when devices received u
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
author: DaniHalfin
|
||||
author: jaimeo
|
||||
ms.localizationpriority: high
|
||||
ms.author: daniha
|
||||
ms.date: 10/13/2017
|
||||
ms.author: jaimeo
|
||||
ms.date: 06/01/2018
|
||||
---
|
||||
|
||||
# Deploy updates using Windows Update for Business
|
||||
@ -21,9 +21,9 @@ ms.date: 10/13/2017
|
||||
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
|
||||
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products.
|
||||
>
|
||||
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
|
||||
>In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
|
||||
|
||||
Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.
|
||||
|
||||
@ -105,7 +105,7 @@ The pause period is now calculated starting from the set start date. For additio
|
||||
Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.
|
||||
|
||||
>[!NOTE]
|
||||
>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
|
||||
>For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels).
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
@ -113,7 +113,7 @@ Windows Update for Business was first made available in Windows 10, version 1511
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr><td><p>Select Servicing Options: CB or CBB</p></td><td><p>Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)</p></td><td><p>Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).</p></td></tr>
|
||||
<tr><td><p>Select servicing options: CB or CBB</p></td><td><p>Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)</p></td><td><p>Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).</p></td></tr>
|
||||
<tr><td><p>Quality Updates</p></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 4 weeks</li><li>In weekly increments</li></ul></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 30 days</li><li>In daily increments</li></ul></td></tr>
|
||||
<tr><td><p>Feature Updates</p></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 8 months</li><li>In monthly increments</li></ul></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 180 days</li><li>In daily increments</li></ul></td></tr>
|
||||
<tr><td><p>Pause updates</p></td><td><ul><li>Feature Updates and Quality Updates paused together</li><li>Maximum of 35 days</li></ul></td><td><p>Features and Quality Updates can be paused separately.</p><ul><li>Feature Updates: maximum 60 days</li><li>Quality Updates: maximum 35 days</li></ul></td></tr>
|
||||
|
||||
@ -7,7 +7,7 @@ ms.sitesec: library
|
||||
author: Jaimeo
|
||||
ms.localizationpriority: high
|
||||
ms.author: jaimeo
|
||||
ms.date: 02/09/2018
|
||||
ms.date: 06/01/2018
|
||||
---
|
||||
|
||||
# Overview of Windows as a service
|
||||
@ -72,11 +72,16 @@ As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting
|
||||
* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel".
|
||||
* Long-Term Servicing Channel - The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC).
|
||||
|
||||
>[!IMPORTANT]
|
||||
>With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For nmore information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747).
|
||||
|
||||
>[!NOTE]
|
||||
>For additional information, see the section about [Servicing Channels](#servicing-channels).
|
||||
>
|
||||
>You can also read [this blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change.
|
||||
>You can also read the blog post [Waas simplified and aligned](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
|
||||
|
||||
### Feature updates
|
||||
|
||||
|
||||
@ -90,6 +90,12 @@ If you are planning to enable IE Site Discovery in Upgrade Readiness, you will n
|
||||
|----------------------|-----------------------------------------------------------------------------|
|
||||
| [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)<br>Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. <br>For more information about this update, see <https://support.microsoft.com/kb/3150513><br><br>Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
|
||||
|
||||
## Set diagnostic data levels
|
||||
|
||||
You can set the diagnostic data level used by monitored devices either with the Update Readiness deployment script or by policy (by using Group Policy or Mobile Device Management).
|
||||
|
||||
The basic functionality of Update Readiness will work at the Basic diagnostic data level, you won't get usage or health data for your updated devices without enabling the Enhanced level. This means you won't get information about health regressions on updated devices. So it is best to enable the Enhanced diagnostic data level, at least on devices running Windows 10, version 1709 (or later) where the Enhanced diagnostic data setting can be paired with "limited enhanced" data level (see [Windows 10 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)). For more information, see [Windows Analytics and privacy](https://docs.microsoft.com/windows/deployment/update/windows-analytics-privacy).
|
||||
|
||||
## Enroll a few pilot devices
|
||||
|
||||
You can use the Upgrade Readiness deployment script to automate and verify your deployment. We always recommend manually running this script on a few representative devices to verify things are properly configured and the device can connect to the diagnostic data endpoints. Make sure to run the pilot version of the script, which will provide extra diagnostics.
|
||||
|
||||
@ -10,7 +10,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
ms.date: 04/24/2018
|
||||
ms.date: 06/01/2018
|
||||
---
|
||||
|
||||
# Advanced hunting reference in Windows Defender ATP
|
||||
@ -35,75 +35,73 @@ Use the following table to understand what the columns represent, its data type,
|
||||
|
||||
| Column name | Data type | Description
|
||||
:---|:--- |:---
|
||||
| AccountDomain | string | Domain of the account. |
|
||||
| AccountName | string | User name of the account. |
|
||||
| AccountSid | string | Security Identifier (SID) of the account. |
|
||||
| ActionType | string | Type of activity that triggered the event. |
|
||||
| AdditionalFields | string | Additional information about the event in JSON array format. |
|
||||
| AlertId | string | Unique identifier for the alert. |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine. |
|
||||
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
|
||||
| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. |
|
||||
| EventTime | datetime | Date and time when the event was recorded. |
|
||||
| EventType | string | Table where the record is stored. |
|
||||
| FileName | string | Name of the file that the recorded action was applied to. |
|
||||
| FileOriginIp | string | IP address where the file was downloaded from. |
|
||||
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. |
|
||||
| FileOriginUrl | string | URL where the file was downloaded from. |
|
||||
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
|
||||
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event. |
|
||||
| AccountDomain | string | Domain of the account |
|
||||
| AccountName | string | User name of the account |
|
||||
| AccountSid | string | Security Identifier (SID) of the account |
|
||||
| ActionType | string | Type of activity that triggered the event |
|
||||
| AdditionalFields | string | Additional information about the event in JSON array format |
|
||||
| AlertId | string | Unique identifier for the alert |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| EventType | string | Table where the record is stored |
|
||||
| FileName | string | Name of the file that the recorded action was applied to |
|
||||
| FileOriginIp | string | IP address where the file was downloaded from |
|
||||
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
|
||||
| FileOriginUrl | string | URL where the file was downloaded from |
|
||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
|
||||
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event. |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. |
|
||||
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. |
|
||||
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. |
|
||||
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
|
||||
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. |
|
||||
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. |
|
||||
| LocalIP | string | IP address assigned to the local machine used during communication. |
|
||||
| LocalPort | int | TCP port on the local machine used during communication. |
|
||||
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format. |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
|
||||
| LocalIP | string | IP address assigned to the local machine used during communication |
|
||||
| LocalPort | int | TCP port on the local machine used during communication |
|
||||
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
|
||||
| LogonType | string | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br>
|
||||
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
|
||||
| MachineId | string | Unique identifier for the machine in the service. |
|
||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
|
||||
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. |
|
||||
| OSArchitecture | string | Architecture of the operating system running on the machine. |
|
||||
| OSBuild | string | Build version of the operating system running on the machine. |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
||||
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format |
|
||||
| OSArchitecture | string | Architecture of the operating system running on the machine |
|
||||
| OSBuild | string | Build version of the operating system running on the machine |
|
||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
|
||||
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. |
|
||||
| PreviousRegistryValueData | string | Original data of the registry value before it was modified. |
|
||||
| PreviousRegistryValueName | string | Original name of the registry value before it was modified. |
|
||||
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. |
|
||||
| ProcessCommandline | string | Command line used to create the new process. |
|
||||
| ProcessCreationTime | datetime | Date and time the process was created. |
|
||||
| ProcessId | int | Process ID (PID) of the newly created process. |
|
||||
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
|
||||
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
|
||||
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
|
||||
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified |
|
||||
| ProcessCommandline | string | Command line used to create the new process |
|
||||
| ProcessCreationTime | datetime | Date and time the process was created |
|
||||
| ProcessId | int | Process ID (PID) of the newly created process |
|
||||
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
|
||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
|
||||
| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. |
|
||||
| RegistryKey | string | Registry key that the recorded action was applied to. |
|
||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
|
||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
|
||||
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. |
|
||||
| RemoteIP | string | IP address that was being connected to. |
|
||||
| RemotePort | int | TCP port on the remote device that was being connected to. |
|
||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
|
||||
| ReportIndex | long | Event identifier that is unique among the same event type. |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available.
|
||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
|
||||
| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log |
|
||||
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | |
|
||||
| RegistryKey | string | Registry key that the recorded action was applied to |
|
||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
|
||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
|
||||
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
|
||||
| RemoteIP | string | IP address that was being connected to |
|
||||
| RemotePort | int | TCP port on the remote device that was being connected to |
|
||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
|
||||
|
||||
## Related topic
|
||||
- [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
|
||||
- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user