From fa7ff33a3ae22711e9040bfc9958ce7299d727f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 14:54:58 -0800 Subject: [PATCH 001/304] Create defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md new file mode 100644 index 0000000000..6ea027c1ee --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -0,0 +1,33 @@ +--- +title: Address false positives/negatives in Microsoft Defender for Endpoint +description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint. +keywords: alert, exclusion, defender atp, false positive, false negative +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.technology: windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 12/15/2020 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree +ms.custom: AIR +--- + +# Address false positives/negatives in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) + From 6ce84f2c4dbacc71486731a580b322af7bd12486 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 14:57:19 -0800 Subject: [PATCH 002/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 6ea027c1ee..b3098ec0dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -20,7 +20,7 @@ ms.collection: - m365initiative-defender-endpoint ms.topic: conceptual ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree -ms.custom: AIR +ms.custom: FPFN --- # Address false positives/negatives in Microsoft Defender for Endpoint @@ -31,3 +31,5 @@ ms.custom: AIR - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) +Did Microsoft Defender for Endpoint identify an artifact as malicious, even though it wasn't? Are files or processes that are not a threat being stopped in their tracks by Defender for Endpoint? Or, did Defender for Endpoint miss something? Use this article as a guide for addressing false positives or false negatives in Defender for Endpoint. + From fda53f2bd94c7d4e2691922fad5982a7c5b08a0e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 15:10:19 -0800 Subject: [PATCH 003/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b3098ec0dd..72ede58c51 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,3 +33,6 @@ ms.custom: FPFN Did Microsoft Defender for Endpoint identify an artifact as malicious, even though it wasn't? Are files or processes that are not a threat being stopped in their tracks by Defender for Endpoint? Or, did Defender for Endpoint miss something? Use this article as a guide for addressing false positives or false negatives in Defender for Endpoint. +| Step | Description | +|:---|:---| +| 1. Identify a false positive/negative | | \ No newline at end of file From 131da8346ac47dac17b151b7ed07ff7c81cfd056 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 15:56:57 -0800 Subject: [PATCH 004/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 72ede58c51..7a8b28a303 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -35,4 +35,25 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou | Step | Description | |:---|:---| -| 1. Identify a false positive/negative | | \ No newline at end of file +| 1. Identify a false positive/negative | | +| 2. Review/define exclusions for Defender for Endpoint | | +| 3. Review/define indicators for Defender for Endpoint | | +| 4. Classify a false positive/negative in Defender for Endpoint | | +| 5. Submit a file for analysis | | +| 6. Confirm your software uses EV code signing | | + +## Identify a false positive/negative + +*How do we know something is a false positive or negative? What do we want customers to look for?* + +## Review or define exclusions + +*Exclusions are defined for AutoIR and for MDAV, yes?* + +## Review or define indicators + +## Classify a false positive or false negative + +## Submit a file for analysis + +## Confirm your software uses EV code signing \ No newline at end of file From ae764c12b4d5421861690c50422d036e3e37cc7b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 16:02:50 -0800 Subject: [PATCH 005/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7a8b28a303..40bb2b65ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -35,12 +35,12 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou | Step | Description | |:---|:---| -| 1. Identify a false positive/negative | | -| 2. Review/define exclusions for Defender for Endpoint | | -| 3. Review/define indicators for Defender for Endpoint | | -| 4. Classify a false positive/negative in Defender for Endpoint | | -| 5. Submit a file for analysis | | -| 6. Confirm your software uses EV code signing | | +| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | | +| 2. [Review/define exclusions for Defender for Endpoint](#review-or-define-exclusions) | | +| 3. [Review/define indicators for Defender for Endpoint](#review-or-define-indicators) | | +| 4. [Classify a false positive/negative in Defender for Endpoint](#classify-a-false-positive-or-false-negative) | | +| 5. [Submit a file for analysis](#submit-a-file-for-analysis) | | +| 6. [Confirm your software uses EV code signing](#confirm-your-software-uses-ev-code-signing) | | ## Identify a false positive/negative @@ -52,8 +52,16 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou ## Review or define indicators +*Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* + ## Classify a false positive or false negative +*Need to figure out where/how this is done* + ## Submit a file for analysis -## Confirm your software uses EV code signing \ No newline at end of file +*https://www.microsoft.com/wdsi/filesubmission/* + +## Confirm your software uses EV code signing + +*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* \ No newline at end of file From fe4c83039bc4c7431f25a5f3f975109743b011ce Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 16:08:27 -0800 Subject: [PATCH 006/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 40bb2b65ea..2d4e5efdb5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -35,7 +35,7 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou | Step | Description | |:---|:---| -| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | | +| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | A false positive is something that was detected and identified as malicious, when in fact it does not pose a threat.
A false negative is something that was not detected as a threat even though it is, in fact, malicious.
Both false positives and false negatives can be problematic for your organization. | | 2. [Review/define exclusions for Defender for Endpoint](#review-or-define-exclusions) | | | 3. [Review/define indicators for Defender for Endpoint](#review-or-define-indicators) | | | 4. [Classify a false positive/negative in Defender for Endpoint](#classify-a-false-positive-or-false-negative) | | From 443c53cbfd1a94240e6568ae4dfe09e5be9299b6 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 16 Dec 2020 23:21:11 +0530 Subject: [PATCH 007/304] updated-4620497 updated --- windows/security/threat-protection/index.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 88ac6667fb..f9594c5218 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -19,6 +19,9 @@ ms.topic: conceptual # Threat Protection [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + > [!TIP] > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). From 4172c1f5d6b0ae822486c230b648ea4fd36ceb49 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 29 Dec 2020 14:51:40 -0800 Subject: [PATCH 008/304] Create best-practices-attack-surface-reduction-rules.md --- ...ractices-attack-surface-reduction-rules.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md new file mode 100644 index 0000000000..e0b732c7ad --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -0,0 +1,32 @@ +--- +title: Best practices with attack surface reduction rules +description: Prevent issues from arising with your attack surface reduction rules by following these best practices +keywords: Microsoft Defender ATP, attack surface reduction, best practices +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: jcedola +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- asr +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +--- + +# Best practices with attack surface reduction rules + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +*ASR guidance for deploying rules (links to Antonio’s blog, recommendations for deploying rules to small set of devices first, code signing, link to ASR Power BI template, and link to M365 security center reports)* + From 3525787146823116248e423e6fd9ba753f6ad8f1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 29 Dec 2020 14:53:34 -0800 Subject: [PATCH 009/304] Update TOC.md --- windows/security/threat-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 79487e7cc2..862dcdb459 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -82,6 +82,7 @@ #### [Attack surface reduction controls]() ##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) +##### [Best practices with attack surface reduction rules](microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md) ##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) ##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md) ##### [View attack surface reduction events](microsoft-defender-atp/event-views.md) From e90667baf92ce836c62737bae1f493757e4df046 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 29 Dec 2020 16:00:23 -0800 Subject: [PATCH 010/304] Update best-practices-attack-surface-reduction-rules.md --- ...ractices-attack-surface-reduction-rules.md | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index e0b732c7ad..cc67b6f89e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -1,5 +1,5 @@ --- -title: Best practices with attack surface reduction rules +title: Tips and best practices for attack surface reduction rules description: Prevent issues from arising with your attack surface reduction rules by following these best practices keywords: Microsoft Defender ATP, attack surface reduction, best practices search.product: eADQiWindows 10XVcnh @@ -19,14 +19,33 @@ ms.collection: - m365initiative-defender-endpoint --- -# Best practices with attack surface reduction rules +# Tips and best practices for attack surface reduction rules [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -*ASR guidance for deploying rules (links to Antonio’s blog, recommendations for deploying rules to small set of devices first, code signing, link to ASR Power BI template, and link to M365 security center reports)* + + +Whether you're about to enable or have already deployed attack surface reduction rules for your organization, see the information in this article. By using the tips and best practices in this article, you can employ attack surface reduction rules successfully and avoid potential issues. + +## Use a phased approach + +Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. This approach enables you to see how attack surface reduction rules work in your environment and gives you flexibility in applying exclusions. You can do this with dynamic membership rules. + + + +## Use code signing for applications + +## Get the Power BI report template + + +https://github.com/microsoft/MDATP-PowerBI-Templates + +## Avoid policy conflicts + +## See the demystifying blogs From 9337b5f030d22f55a15554d42a658d2e890cfe65 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 29 Dec 2020 16:14:27 -0800 Subject: [PATCH 011/304] Update best-practices-attack-surface-reduction-rules.md --- .../best-practices-attack-surface-reduction-rules.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index cc67b6f89e..79644b2380 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -40,12 +40,15 @@ Before you roll out attack surface reduction rules in your organization, select ## Use code signing for applications +As a best practice, use code signing for all the applications and scripts that your organization is using. This includes internally developed applications. Using code signing helps avoid false positives with attack surface reduction rules. It can also help avoid issues with attack surface reduction rules for developers and other users within your organization. + ## Get the Power BI report template - -https://github.com/microsoft/MDATP-PowerBI-Templates + ## Avoid policy conflicts + + ## See the demystifying blogs From bf788b9b594dc9cf544f85ecd184fbdab696e2a9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 29 Dec 2020 16:39:52 -0800 Subject: [PATCH 012/304] Update best-practices-attack-surface-reduction-rules.md --- .../best-practices-attack-surface-reduction-rules.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index 79644b2380..de07f909f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -52,3 +52,10 @@ As a best practice, use code signing for all the applications and scripts that y ## See the demystifying blogs + +|Blog |Description | +|---------|---------| +|[Demystifying attack surface reduction rules - Part 1: Why and What](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) | Get a quick overview of the Why and the What through eight questions and answers. | +|[Demystifying attack surface reduction rules - Part 2: How](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565) | See how to configure attack surface reduction rules, how exclusions work, and how to define exclusions. | +|[Demystifying attack surface reduction rules - Part 3: Reports and Troubleshooting](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-3/ba-p/1360968) | | +|Row4 | | From a3a05f747e7eddaac23fde5a5c91141bffc75827 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 29 Dec 2020 17:03:48 -0800 Subject: [PATCH 013/304] Update best-practices-attack-surface-reduction-rules.md --- .../best-practices-attack-surface-reduction-rules.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index de07f909f2..7f28d0e038 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -52,10 +52,12 @@ As a best practice, use code signing for all the applications and scripts that y ## See the demystifying blogs +The following table lists several blog posts that you might find helpful. All of these blogs are hosted on the [Microsoft Tech Community site](https://techcommunity.microsoft.com), under [Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog). |Blog |Description | |---------|---------| |[Demystifying attack surface reduction rules - Part 1: Why and What](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) | Get a quick overview of the Why and the What through eight questions and answers. | |[Demystifying attack surface reduction rules - Part 2: How](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565) | See how to configure attack surface reduction rules, how exclusions work, and how to define exclusions. | -|[Demystifying attack surface reduction rules - Part 3: Reports and Troubleshooting](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-3/ba-p/1360968) | | -|Row4 | | +|[Demystifying attack surface reduction rules - Part 3: Reports and Troubleshooting](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-3/ba-p/1360968) | Learn how to view reports and information about attack surface reduction rules and their status, and how to troubleshoot issues with rule impact and operations. | +|[Demystifying attack surface reduction rules - Part 4: Migrating](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-4/ba-p/1384425) | If you're currently using a non-Microsoft host intrusion prevention system (HIPS) and are evaluating or migrating to attack surface reduction capabilities in Microsoft Defender for Endpoint, see this blog. You'll see how custom rules you were using with your HIPS solution can map to attack surface reduction rules in Microsoft Defender for Endpoint. | + From dc962d76e76215e9ada5ee762adb98e44d446061 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 29 Dec 2020 17:13:05 -0800 Subject: [PATCH 014/304] Update best-practices-attack-surface-reduction-rules.md --- .../best-practices-attack-surface-reduction-rules.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index 7f28d0e038..487e9cd874 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -42,6 +42,10 @@ Before you roll out attack surface reduction rules in your organization, select As a best practice, use code signing for all the applications and scripts that your organization is using. This includes internally developed applications. Using code signing helps avoid false positives with attack surface reduction rules. It can also help avoid issues with attack surface reduction rules for developers and other users within your organization. +## View reports in the Microsoft 365 security center + +In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. + ## Get the Power BI report template From f7ebe8a8e67172c8aab6e29c8128f9827c37a4be Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 29 Dec 2020 17:30:59 -0800 Subject: [PATCH 015/304] Update best-practices-attack-surface-reduction-rules.md --- ...best-practices-attack-surface-reduction-rules.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index 487e9cd874..caf7149e05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -44,7 +44,7 @@ As a best practice, use code signing for all the applications and scripts that y ## View reports in the Microsoft 365 security center -In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. +In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. (MORE TO COME!) ## Get the Power BI report template @@ -52,6 +52,17 @@ In the Microsoft 365 security center ([https://security.microsoft.com](https://s ## Avoid policy conflicts +If a conflicting policy is applied via Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM will take precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules). + +Attack surface reduction rules for MEM managed devices now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows: +- Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to: + - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction). + - Endpoint security > Attack surface reduction policy > Attack surface reduction rules. + - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules. +- Settings that do not have conflicts are added to a superset of policy for the device. +- When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device. +- Only the configurations for conflicting settings are held back. + ## See the demystifying blogs From 0d4c2d4fe938e21f6e1baead860009915e010d70 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 29 Dec 2020 17:36:15 -0800 Subject: [PATCH 016/304] Update best-practices-attack-surface-reduction-rules.md --- .../best-practices-attack-surface-reduction-rules.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index caf7149e05..96874697de 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -55,12 +55,16 @@ In the Microsoft 365 security center ([https://security.microsoft.com](https://s If a conflicting policy is applied via Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM will take precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules). Attack surface reduction rules for MEM managed devices now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows: + - Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to: - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction). - Endpoint security > Attack surface reduction policy > Attack surface reduction rules. - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules. + - Settings that do not have conflicts are added to a superset of policy for the device. + - When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device. + - Only the configurations for conflicting settings are held back. From b384eba9eb2b195a196a6cb8a9422e6fbc7a70e6 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 31 Dec 2020 19:16:42 +0530 Subject: [PATCH 017/304] Update best-practices-attack-surface-reduction-rules.md --- ...ractices-attack-surface-reduction-rules.md | 48 +++++++++++++++++-- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index 96874697de..80da8794b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -42,21 +42,61 @@ Before you roll out attack surface reduction rules in your organization, select As a best practice, use code signing for all the applications and scripts that your organization is using. This includes internally developed applications. Using code signing helps avoid false positives with attack surface reduction rules. It can also help avoid issues with attack surface reduction rules for developers and other users within your organization. -## View reports in the Microsoft 365 security center +## View reports from various sources in Microsoft + +### From the Microsoft 365 security center** In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. (MORE TO COME!) +To retrieve and view the reports generated in ([https://security.microsoft.com](https://security.microsoft.com)), ensure that the device for which you seek a report is onboarded on to Microsoft Defender ATP. + +### By Microsoft Defender ATP advanced hunting** + +Advanced hunting is a query-based threat-hunting tool of Microsoft Defender ATP. This tool generates reports based on the findings of the threat-hunting process. + +The **advanced hunting** tool enables the users to audit the **Of-the-last-30-days** data collected from various devices by Microsoft Defender ATP Endpoint Detection and Response (EDR). It facilitates proactive logging of any suspicious indicators and entities in the events that you explore. This tool provides flexibility in accessing data (without any restriction in category of data to be accessed). This flexibility enables the user to detect known threats and spot new threats. + +The reports for the ASR rules' events are generated by querying the **DeviceEvents** table. + +**Template of DeviceEvents table** + +DeviceEvents +| where Timestamp > ago (30d) +| where ActionType startswith "Asr" +| summarize EventCount=count () by ActionType + +### By Microsoft Defender ATP machine timeline + +Machine timeline is another report-generating source in Microsoft Defender ATP, but with a narrower scope. + +Reports relating to ASR rule events can be generated for the preceding-6-months period on a specific endpoint or device. + +**Summarized procedure to generate report** + +1. Log in to **Microsoft Defender Security Center** and navigate to the **Machines** tab. +2. Choose a machine for which you want to view the reports of its ASR rule-related events. +3. Click **Timeline** and choose the time range for which the report is to display data. + + ## Get the Power BI report template ## Avoid policy conflicts -If a conflicting policy is applied via Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM will take precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules). +If a conflicting policy has emerged as a result of a policy being applied from Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM takes precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules). -Attack surface reduction rules for MEM managed devices now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows: +Attack surface reduction (ASR) rules for MEM-managed devices now support a new behavior for merger of settings from different policies, to create a superset of policies for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either of the profiles would be deployed. ASR rule merge behavior is as follows: -- Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to: +Attack surface reduction (ASR) rules for MEM (Microsoft Endpoint Manager)-managed devices support a new behavior in terms of merger of the settings of policies. This behavior is described below: + +- If two or more policies have multiple settings configured in each of them, the settings without a conflict are merged into the superset of the policies they are mapped to. +- If two or more policies encounter a conflict over a single setting from the various settings they are configured with, only that single setting with a conflict is held back from being merged into the superset of the policies. +- The bundle of settings as a whole are not held back from being merged into the superset because of the single conflict-affected setting. +- The policy as a whole is not flagged as **being in conflict** because of one of its settings being conflict affected. + + +- ASR rules from the following profiles are evaluated for each device the rules apply to: - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction). - Endpoint security > Attack surface reduction policy > Attack surface reduction rules. - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules. From ed4b33cf41a447b10d6cd0136f31f6826aec43b8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 31 Dec 2020 19:33:23 +0530 Subject: [PATCH 018/304] Update best-practices-attack-surface-reduction-rules.md --- .../best-practices-attack-surface-reduction-rules.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index 80da8794b6..0a09d31840 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -44,13 +44,13 @@ As a best practice, use code signing for all the applications and scripts that y ## View reports from various sources in Microsoft -### From the Microsoft 365 security center** +### From the Microsoft 365 security center In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. (MORE TO COME!) To retrieve and view the reports generated in ([https://security.microsoft.com](https://security.microsoft.com)), ensure that the device for which you seek a report is onboarded on to Microsoft Defender ATP. -### By Microsoft Defender ATP advanced hunting** +### By Microsoft Defender ATP advanced hunting Advanced hunting is a query-based threat-hunting tool of Microsoft Defender ATP. This tool generates reports based on the findings of the threat-hunting process. @@ -65,6 +65,13 @@ DeviceEvents | where ActionType startswith "Asr" | summarize EventCount=count () by ActionType +**Procedure** + +1. Navigate to **Advanced hunting** module in the **Microsoft Defender Security Center** portal. +2. Click **Query**. +3. Click **+ New** to create a new query. +4. Click **Run query**. The report based on the query parameters (specified in the **Template of DeviceEvents table** section) is generated. + ### By Microsoft Defender ATP machine timeline Machine timeline is another report-generating source in Microsoft Defender ATP, but with a narrower scope. From c4e05bee82eba5736e53e971e2433929df88ec2c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 13:03:43 +0500 Subject: [PATCH 019/304] Procedural Changes An unnecessary step was added in the procedure and has been removed. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8408 --- .../mac-jamfpro-policies.md | 38 +++++++++---------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index 5faeec9c8d..f1017e4215 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -750,18 +750,14 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/990742cd9a15ca9fdd37c9f695d1b9f4.png) -4. Navigate to **Advanced Computer Searches**. - - ![A screenshot of a social media post Description automatically generated](images/95313facfdd5e1ea361981e0a2478fec.png) - -5. Select **Computer Management**. +4. Select your computer and click the gear icon on the top, select **Computer Management** ![Image of configuration settings](images/b6d671b2f18b89d96c1c8e2ea1991242.png) -6. In **Packages**, select **+ New**. +5. In **Packages**, select **+ New**. ![A picture containing bird Description automatically generated](images/57aa4d21e2ccc65466bf284701d4e961.png) -7. In **New Package** Enter the following details: +6. In **New Package** Enter the following details: **General tab** - Display Name: Leave it blank for now. Because it will be reset when you choose your pkg. @@ -774,15 +770,17 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![A screenshot of a computer screen Description automatically generated](images/1aa5aaa0a387f4e16ce55b66facc77d1.png) -8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +7. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. + **Manifest File** is not required. Microsoft Defender Advanced Threat Protection works without Manifest File. + **Options tab**
Keep default values. **Limitations tab**
Keep default values. ![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png) -9. Select **Save**. The package is uploaded to Jamf Pro. +8. Select **Save**. The package is uploaded to Jamf Pro. ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png) @@ -790,45 +788,45 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png) -10. Navigate to the **Policies** page. +9. Navigate to the **Policies** page. ![Image of configuration settings](images/f878f8efa5ebc92d069f4b8f79f62c7f.png) -11. Select **+ New** to create a new policy. +10. Select **+ New** to create a new policy. ![Image of configuration settings](images/847b70e54ed04787e415f5180414b310.png) -12. In **General** Enter the following details: +11. In **General** Enter the following details: - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later ![Image of configuration settings](images/625ba6d19e8597f05e4907298a454d28.png) -13. Select **Recurring Check-in**. +12. Select **Recurring Check-in**. ![Image of configuration settings](images/68bdbc5754dfc80aa1a024dde0fce7b0.png) -14. Select **Save**. +13. Select **Save**. -15. Select **Packages > Configure**. +14. Select **Packages > Configure**. ![Image of configuration settings](images/8fb4cc03721e1efb4a15867d5241ebfb.png) -16. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. ![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png) -17. Select **Save**. +16. Select **Save**. ![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png) -18. Select the **Scope** tab. +17. Select the **Scope** tab. ![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png) -19. Select the target computers. +18. Select the target computers. ![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png) @@ -844,7 +842,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png) -20. Select **Done**. +19. Select **Done**. ![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png) From 8c4268ea229155638b6cb9a201fcaa9985a3a8ed Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 13:33:46 +0500 Subject: [PATCH 020/304] Addition of a right A right was missing from the list. Added the basic info. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8551 --- .../security-policy-settings/user-rights-assignment.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 03d0a20cf4..6074db6073 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -69,6 +69,7 @@ The following table links to each security policy setting and provides the const | [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| | [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| | [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| +| [Obtain an impersonation token for another user in the same session]) | SeDelegateSessionUserImpersonatePrivilege| | [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| | [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| | [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| @@ -78,6 +79,7 @@ The following table links to each security policy setting and provides the const | [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege| | [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege| | [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege| + ## Related topics From 4b6d132328c9cf139c94f23508f34b880e329f34 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 4 Jan 2021 18:37:55 +0530 Subject: [PATCH 021/304] Update best-practices-attack-surface-reduction-rules.md --- ...ractices-attack-surface-reduction-rules.md | 34 ++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index 0a09d31840..19653b1a5a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -30,13 +30,40 @@ ms.collection: -Whether you're about to enable or have already deployed attack surface reduction rules for your organization, see the information in this article. By using the tips and best practices in this article, you can employ attack surface reduction rules successfully and avoid potential issues. +The instructions to deploy attack surface reduction (ASR) rules in the most optimal way are available in [Demystifying attack surface reduction rules - Part 2](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565). +It is highly recommended to test the ASR rules on a sample-like smaller set of devices. For information on the reasons for this recommendation and on how to deploy the ASR rules on a smaller set of devices, see **Use a phased approach** section, below, in this article. + + > [!NOTE] +> Whether you're about to enable or have already deployed ASR rules for your organization, see the information in this article. By using the tips and best practices in this article, you can employ attack surface reduction rules successfully and avoid potential issues. + +**Results of applying ASR rules** + +- The process of applying ASR rules on devices provides scope to query for reports. These queries can be implemented in the form of templates. + + + +- Once applying ASR rules to devices leads to querying for reports, there are a few sources from which reports can be queried. One of such sources is the [Microsoft 365 security center](https://security.microsoft.com) + + +- ## Use a phased approach -Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. This approach enables you to see how attack surface reduction rules work in your environment and gives you flexibility in applying exclusions. You can do this with dynamic membership rules. +Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. - +The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are: + +- **Better prospects for display of ASR rules impact** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent. +- **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of **applicable-not applicable** devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set. + +> [!IMPORTANT] +> You can implement the process of applying ASR rules to a smaller device set by utilizing dynamic membership rules. + +**How to configure dynamic membership rules** + + ## Use code signing for applications @@ -115,7 +142,6 @@ Attack surface reduction (ASR) rules for MEM (Microsoft Endpoint Manager)-manage - Only the configurations for conflicting settings are held back. - ## See the demystifying blogs The following table lists several blog posts that you might find helpful. All of these blogs are hosted on the [Microsoft Tech Community site](https://techcommunity.microsoft.com), under [Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog). From 053da0a6581a34a3d11ed9fe2f0c921bc4725ab5 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 09:09:40 -0700 Subject: [PATCH 022/304] Update windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/mac-jamfpro-policies.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index f1017e4215..961a958e6f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -750,7 +750,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/990742cd9a15ca9fdd37c9f695d1b9f4.png) -4. Select your computer and click the gear icon on the top, select **Computer Management** +4. Select your computer and click the gear icon at the top, then select **Computer Management**. ![Image of configuration settings](images/b6d671b2f18b89d96c1c8e2ea1991242.png) @@ -851,4 +851,3 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint - From 7682c17362d6802ae7a7019d280feb3a5263afd1 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 09:22:32 -0700 Subject: [PATCH 023/304] Update windows/security/threat-protection/security-policy-settings/user-rights-assignment.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../security-policy-settings/user-rights-assignment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 6074db6073..656b0c378b 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -69,7 +69,7 @@ The following table links to each security policy setting and provides the const | [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| | [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| | [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| -| [Obtain an impersonation token for another user in the same session]) | SeDelegateSessionUserImpersonatePrivilege| +| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege| | [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| | [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| | [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| From 11d5cadf01f2d447f0f36f18552fe5cb5207b532 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 01:20:58 +0100 Subject: [PATCH 024/304] Update filesystem-csp.md Based on the implied confusion in issue ticket #8387 (**FileSystem CSP examples**), I noticed that the 2 **Note** lines in this document do not adhere to the MS standard of using colored Note blobs. This PR aims to rectify that issue, hoping that this may clarify the following: > FileSystem CSP is only supported in Windows 10 Mobile. Thanks to @joinimran for mentioning this fact and making me aware of this issue. Changes proposed: - update/upgrade 2 **Note** lines to use standard Microsoft Note blob formatting - encapsulate filename `winnt.h` in MD back ticks to display as monospaced font Whitespace changes: - Remove 10 empty lines at the end of the document - reduce double blank lines to single (3 occurrences) - remove all redundant end-of-line blank spaces - bullet point lists: reduce triple consecutive blank space to single Closes #8387 --- .../client-management/mdm/filesystem-csp.md | 64 ++++++++----------- 1 file changed, 25 insertions(+), 39 deletions(-) diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 9bad3fe712..39061b8c6d 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -14,41 +14,38 @@ ms.date: 06/26/2017 # FileSystem CSP - The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user. -> **Note**  FileSystem CSP is only supported in Windows 10 Mobile. -> -> -> -> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. +> [!NOTE] +> FileSystem CSP is only supported in Windows 10 Mobile. - +> [!NOTE] +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. ![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png) -**FileSystem** +**FileSystem** Required. Defines the root of the file system management object. It functions as the root directory for file system queries. Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path. The following properties are supported for the root node: -- `Name`: The root node name. The Get command is the only supported command. +- `Name`: The root node name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. -***file directory*** +***file directory*** Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements. The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code. @@ -61,19 +58,19 @@ The Delete command is used to delete all files and subfolders under this *file d The following properties are supported for file directories: -- `Name`: The file directory name. The Get command is the only supported command. +- `Name`: The file directory name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. +- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file `winnt.h`. This supports the Get command and the Replace command. -***file name*** +***file name*** Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead. The Delete command deletes the file. @@ -86,29 +83,18 @@ The Get command is not supported on a *file name* element, only on the propertie The following properties are supported for files: -- `Name`: The file name. The Get command is the only supported command. +- `Name`: The file name. The Get command is the only supported command. -- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. +- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. -- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. +- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. +- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. -- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - From dc6a1422ef530c0659824db0176aeafda206d904 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 5 Jan 2021 17:29:55 +0530 Subject: [PATCH 025/304] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index d01c44566e..c8e81166ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -65,6 +65,7 @@ Windows system folders are protected by default, along with several other folder - `c:\Users\\Pictures` - `c:\Users\Public\Pictures` - `c:\Users\Public\Videos` +- `c:\Users\\Videos` - `c:\Users\\Music` - `c:\Users\Public\Music` - `c:\Users\\Favorites` From d8afba6ecda828c656854bf29d1f5a1e6baf91fc Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 5 Jan 2021 19:14:10 +0530 Subject: [PATCH 026/304] Update best-practices-attack-surface-reduction-rules.md --- ...ractices-attack-surface-reduction-rules.md | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index 19653b1a5a..0a7fe26efc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -48,7 +48,28 @@ It is highly recommended to test the ASR rules on a sample-like smaller set of d -- + +**Applicable to rules' states** + +This section describes the best practices with regard to the states which any ASR rule can be set to, irrespective of the method used to configure or deploy the ASR rule. + +Prior to describing the best pratices for the ASR rules' states, it is important to know the states which an ASR rule can be set to: + +- **Not configured**: This is the state in which the ASR rule has been disabled. The code for this state is 0. +- **Block**: This is the state in which the ASR rule is enabled. YThe code for this state is 1. +- **Audit**: This is the state in which the ASR rule is evaluated about its impactive behavior toward the organization or environment in which it is deployed. + +**Recommendation** + +The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best pratice are: + +1. **Access to logs and reviews**: When an ASR rule is set to **audit** mode, you can get access to the logs and reviews pertaining to it. These logs and reviews are data that helps you to analyze the impact of the ASR rule. +2. **Rule-related decision**: The analysis findings guided by the logs and reviews help you take a decision whether to deploy or exclude the ASR rule or not. For information on ASR rule exclusion see + + + + + ## Use a phased approach Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. From 0234660baf0f9855f3eacd73ee2d02232433747e Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 5 Jan 2021 19:52:34 +0530 Subject: [PATCH 027/304] Update best-practices-attack-surface-reduction-rules.md --- .../best-practices-attack-surface-reduction-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index 0a7fe26efc..ea1d8dbfb2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -154,7 +154,7 @@ Attack surface reduction (ASR) rules for MEM (Microsoft Endpoint Manager)-manage - ASR rules from the following profiles are evaluated for each device the rules apply to: - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction). - Endpoint security > Attack surface reduction policy > Attack surface reduction rules. - - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules. + - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Profiles > Profile Name > Properties > Configuration settings > Attack Surface Reduction Rules - Settings that do not have conflicts are added to a superset of policy for the device. From cd12eb005a60ba0d937d257dcb450b3eae560049 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 7 Jan 2021 20:54:26 +0100 Subject: [PATCH 028/304] Missing verb "is" in line 36 Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/filesystem-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 39061b8c6d..9a50b99317 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -60,7 +60,7 @@ The following properties are supported for file directories: - `Name`: The file directory name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is an empty string for directories that are not the root node. The Get command is the only supported command. - `Format`: The format, which is `node`. The Get command is the only supported command. From 655e9bd4d318470d7eba59d6c605c8d0449e5574 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 7 Jan 2021 20:55:07 +0100 Subject: [PATCH 029/304] Missing capitalization for WBXML in line 90 Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/filesystem-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 9a50b99317..12547591ba 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -87,7 +87,7 @@ The following properties are supported for files: - `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. -- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. +- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over WBXML. The Get command is the only supported command. - `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. From 4e744a03176f3b387f71d98005fe7bd3d25f7319 Mon Sep 17 00:00:00 2001 From: Benny Shilpa Date: Fri, 8 Jan 2021 12:48:00 +0530 Subject: [PATCH 030/304] Update symantec-to-microsoft-defender-atp-setup.md --- .../symantec-to-microsoft-defender-atp-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index 72385ecf92..d251f87b7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -117,7 +117,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def |Method |What to do | |---------|---------| |Command Prompt |1. On a Windows device, open Command Prompt as an administrator.

2. Type `sc query windefend`, and then press Enter.

3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

3. In the list of results, look for **AntivirusEnabled: True**. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.| > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. From 8910a420b285c848ad75714291673b1f4493b864 Mon Sep 17 00:00:00 2001 From: Benny Shilpa Date: Fri, 8 Jan 2021 12:58:17 +0530 Subject: [PATCH 031/304] Update mcafee-to-microsoft-defender-setup.md --- .../mcafee-to-microsoft-defender-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md index 432aed7160..8b4ea42244 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -142,7 +142,7 @@ Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defen |Method |What to do | |---------|---------| |Command Prompt |1. On a Windows device, open Command Prompt as an administrator.

2. Type `sc query windefend`, and then press Enter.

3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

3. In the list of results, look for **AntivirusEnabled: True**. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.| > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. From abc9f48f50788ec2ffa57a803e9f745ba3ceb7fe Mon Sep 17 00:00:00 2001 From: Benny Shilpa Date: Fri, 8 Jan 2021 13:02:40 +0530 Subject: [PATCH 032/304] Update switch-to-microsoft-defender-setup.md --- .../switch-to-microsoft-defender-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md index c1ad46027c..cce6dd54eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md @@ -138,7 +138,7 @@ Microsoft Defender Antivirus can run alongside your existing endpoint protection |Method |What to do | |---------|---------| |Command Prompt |1. On a Windows device, open Command Prompt as an administrator.

2. Type `sc query windefend`, and then press Enter.

3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

3. In the list of results, look for **AntivirusEnabled: True**. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. | > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. From b6e9b39ce408c7638c5c91cd60a4e7be45102886 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 12 Jan 2021 00:26:51 +0100 Subject: [PATCH 033/304] Update distribute-offline-apps.md From issue ticket #8942 (**Broken link - Distribute offline apps**): > Hi all. > > In Distribute offline apps (https://docs.microsoft.com/en-us/microsoft-store/distribute-offline-apps) the link Manage apps from Microsoft Store for Business with Microsoft Intune that points to [docs.microsoft.com/en-us/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune](https://docs.microsoft.com/en-us/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune) rports error 404. Probably the destination has changed URL. I believe that it should point to the doc How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune - [docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business](https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business). > > Can you double check this and fix it please? Thanks to @joaonltome for noticing and reporting this broken link and also suggesting a likely solution. Changes proposed: - Replace the broken link /microsoft-store/distribute-offline-apps with the working page link /mem/intune/apps/windows-store-for-business . - Change the paragraph title "To download an offline-licensed app" from **bold** formatting to a H3 heading, as well as including the HTML anchor in that heading. (This heading level might possibly need to be a H4 heading size to remain the same size as its current **bold**-only format.) Whitespace changes: - Remove 13 redundant blank lines at the end of the document page. - By removing these 13 blank lines, we also remove that redundant empty command copy box (created by indents). - Reduce 12 occurrences of 3 blank spaces after bullet point list indicators to 1 space. - Reduce 6 occurrences of double blank space after numbered list indicators to 1 space. - Add missing colon in **Applies to:** . Closes #8942 --- store-for-business/distribute-offline-apps.md | 56 +++++++------------ 1 file changed, 21 insertions(+), 35 deletions(-) diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 33b58da4ab..e3dbdb3592 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -18,10 +18,10 @@ ms.date: 10/17/2017 # Distribute offline apps -**Applies to** +**Applies to:** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. @@ -29,23 +29,23 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps: -- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. +- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. -- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD). +- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD). -- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store. +- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store. ## Distribution options for offline-licensed apps You can't distribute offline-licensed apps directly from Microsoft Store. Once you download the items for the offline-licensed app, you have options for distributing the apps: -- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows). +- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows). -- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages). +- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages). -- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: +- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: - [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
+ - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation. @@ -53,23 +53,22 @@ For third-party MDM providers or management servers, check your product document There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app. -- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. +- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. -- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. +- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. -- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. +- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. -- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. +- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. - -**To download an offline-licensed app** +### To download an offline-licensed app -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**. -3. Click **Settings**. -4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. -5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. -6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**. +3. Click **Settings**. +4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. +5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. +6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional. - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required. @@ -78,16 +77,3 @@ There are several items to download or create for offline-licensed apps. The app > [!NOTE] > You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible. - - - -   - -  - -  - - - - - From 799286b74cfbace1cfb86634890c20b8268d0def Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 12 Jan 2021 01:01:35 +0100 Subject: [PATCH 034/304] Revert HTML anchor link heading format - change "To download an offline-licensed app" heading format back to **bold** - remove the line separation (NewLine/Line break) to enable the anchor link again --- store-for-business/distribute-offline-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index e3dbdb3592..c22a4358d7 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -61,7 +61,7 @@ There are several items to download or create for offline-licensed apps. The app - **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. -### To download an offline-licensed app +**To download an offline-licensed app** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. From 500fd2c72ee5fa5d5ce00dbe699dabac111a77e3 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 Jan 2021 10:50:21 +0500 Subject: [PATCH 035/304] Update use-vamt-in-windows-powershell.md --- .../volume-activation/use-vamt-in-windows-powershell.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 7389bcd273..0fcb1ad99c 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -57,7 +57,7 @@ get-help get-VamtProduct -all ``` **Warning** -The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=242278). +The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/vamt). **To view VAMT PowerShell Help sections** From eb8843f637a817ceb46c8c58d9eb75c116ab8655 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 Jan 2021 11:59:56 +0500 Subject: [PATCH 036/304] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 265aa7219d..fc57328704 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multi-factor authentication). +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes Azure AD Multi-Factor Authentication license (like Microsoft 365), or use third-party Multi-Factor Authentication provider. If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 7c7a13348fa00a44133e085964b25260ba80d04e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 Jan 2021 14:37:28 +0500 Subject: [PATCH 037/304] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index fc57328704..d99d54226f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes Azure AD Multi-Factor Authentication license (like Microsoft 365), or use third-party Multi-Factor Authentication provider. +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes an Azure AD Multi-Factor Authentication license (like Microsoft 365) or to use a third-party Multi-Factor Authentication provider. If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 92c77fa38c443d7c33dd647ba2700ebbc85e1921 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 12 Jan 2021 19:33:47 +0100 Subject: [PATCH 038/304] correct casing for "the internet" to 'the Internet' Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- store-for-business/distribute-offline-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index c22a4358d7..8a5ead4fe6 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -29,7 +29,7 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps: -- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. +- **You don't have access to Microsoft Store services** - If your employees don't have access to the Internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. - **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD). From 7ced57c6927538be4219721a78fa1d09b0eb879a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 13 Jan 2021 07:23:37 +0500 Subject: [PATCH 039/304] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index d99d54226f..ba1692b00e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes an Azure AD Multi-Factor Authentication license (like Microsoft 365) or to use a third-party Multi-Factor Authentication provider. +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to use a third-party Multi-Factor Authentication provider. If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From bcd0ea8622f7858720b7f9d28bf8f718567be1d6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:49:14 -0800 Subject: [PATCH 040/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 33 ++++++++++++------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2d4e5efdb5..c43654ba5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 12/15/2020 +ms.date: 01/15/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -31,20 +31,29 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -Did Microsoft Defender for Endpoint identify an artifact as malicious, even though it wasn't? Are files or processes that are not a threat being stopped in their tracks by Defender for Endpoint? Or, did Defender for Endpoint miss something? Use this article as a guide for addressing false positives or false negatives in Defender for Endpoint. +In Microsoft Defender for Endpoint, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. -| Step | Description | -|:---|:---| -| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | A false positive is something that was detected and identified as malicious, when in fact it does not pose a threat.
A false negative is something that was not detected as a threat even though it is, in fact, malicious.
Both false positives and false negatives can be problematic for your organization. | -| 2. [Review/define exclusions for Defender for Endpoint](#review-or-define-exclusions) | | -| 3. [Review/define indicators for Defender for Endpoint](#review-or-define-indicators) | | -| 4. [Classify a false positive/negative in Defender for Endpoint](#classify-a-false-positive-or-false-negative) | | -| 5. [Submit a file for analysis](#submit-a-file-for-analysis) | | -| 6. [Confirm your software uses EV code signing](#confirm-your-software-uses-ev-code-signing) | | +Review your threat protection settings +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: -## Identify a false positive/negative +- Cloud-delivered protection +- Remediation for potentially unwanted apps (PUA) + +### Cloud-delivered protection + +Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. + +See [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) + +### Remediation for potentially unwanted applications (PUA) + +Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. + +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. + +> [!TIP] +> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). -*How do we know something is a false positive or negative? What do we want customers to look for?* ## Review or define exclusions From a41ed13796f6238a069151684485c15296665174 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:50:25 -0800 Subject: [PATCH 041/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index c43654ba5e..7e2224fc74 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,6 +54,16 @@ Depending on the apps your organization is using, you might be getting false pos > [!TIP] > To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +#### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. +4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) +6. Choose **Review + save**, and then choose **Save**. + + ## Review or define exclusions From 0509296bac40162a4aefbfe21aecf284507843ac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:50:48 -0800 Subject: [PATCH 042/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7e2224fc74..703de9a4ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -56,12 +56,12 @@ Depending on the apps your organization is using, you might be getting false pos #### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). -3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. -4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. -5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) -6. Choose **Review + save**, and then choose **Save**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. +4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) +6. Choose **Review + save**, and then choose **Save**. From 1c60d9b448e225a8707e85cbc1d7c0292741de68 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:52:02 -0800 Subject: [PATCH 043/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 703de9a4ef..4fc988374f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -57,12 +57,23 @@ Depending on the apps your organization is using, you might be getting false pos #### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile)). 3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. 4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) 6. Choose **Review + save**, and then choose **Save**. +#### Use Microsoft Endpoint Manager to set PUA protection for a new configuration profile + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. +3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**. +4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. +5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn PUA protection off, but by using audit mode, you will be able to see detections.) +7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. +9. On the **Review + create** tab, review your settings, and, and then choose **Create**. ## Review or define exclusions From 47a5ddb4b59892d07f31a4ef6dc08737e27e7a14 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:54:35 -0800 Subject: [PATCH 044/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4fc988374f..d120882e6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -76,9 +76,17 @@ Depending on the apps your organization is using, you might be getting false pos 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. -## Review or define exclusions +## Review or define exclusions for Microsoft Defender for Endpoint + +An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, you must perform at least two kinds of tasks: + +- Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) +- Create “allow” indicators for Microsoft Defender for Endpoint () + +You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. -*Exclusions are defined for AutoIR and for MDAV, yes?* ## Review or define indicators From ba8ffab39c6b33c5d8b74f831c6adb308218a1fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:55:40 -0800 Subject: [PATCH 045/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d120882e6a..4cfd1708d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -85,7 +85,7 @@ To define exclusions across Microsoft Defender for Endpoint, you must perform at - Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) - Create “allow” indicators for Microsoft Defender for Endpoint () -You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. +You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. ## Review or define indicators From f1e6f6f4ff42ca4086b58915cf99051c152af1e2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:56:39 -0800 Subject: [PATCH 046/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4cfd1708d9..61db33647d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -75,17 +75,15 @@ Depending on the apps your organization is using, you might be getting false pos 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. - ## Review or define exclusions for Microsoft Defender for Endpoint An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. To define exclusions across Microsoft Defender for Endpoint, you must perform at least two kinds of tasks: - - Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) - Create “allow” indicators for Microsoft Defender for Endpoint () -You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. +You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). ## Review or define indicators From 04e2d46c5b0994aefda58e659b99e89164de1dad Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:06:18 -0800 Subject: [PATCH 047/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 61db33647d..f9216bbfe8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -85,6 +85,33 @@ To define exclusions across Microsoft Defender for Endpoint, you must perform at You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions. + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags]( Use role-based access control (RBAC) and scope tags for distributed IT in Intune | Microsoft Docs).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + + ## Review or define indicators From 3d1407fd3a22033c4ba167208dc03f379cc85de2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:06:54 -0800 Subject: [PATCH 048/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f9216bbfe8..4fd508750d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -90,7 +90,7 @@ You must perform both kinds of tasks because Microsoft Defender Antivirus exclus In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions. > [!TIP] -> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). #### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies @@ -101,6 +101,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 5. Choose **Review + save**, and then choose **Save**. #### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions + 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. 3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). From 3c5d2a3d2429851c32762559e667f20c91f60cc7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:09:06 -0800 Subject: [PATCH 049/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4fd508750d..b43e1e658d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -95,7 +95,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti #### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-an-antivirus-policy-with-exclusions)). 3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. 4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. 5. Choose **Review + save**, and then choose **Save**. @@ -108,7 +108,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. 5. Specify a name and description for the profile, and then choose **Next**. 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. -7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags]( Use role-based access control (RBAC) and scope tags for distributed IT in Intune | Microsoft Docs).) +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. From 480e2a5a36204a7a1aa754c651f18631efbc55e7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:10:06 -0800 Subject: [PATCH 050/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b43e1e658d..41af0bb20a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -112,8 +112,6 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. - - ## Review or define indicators *Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* From 514985aeb75c4975f24cb75ae6bc930a61ee32fc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 14:02:08 -0800 Subject: [PATCH 051/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 41af0bb20a..684eb83488 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,7 +33,8 @@ ms.custom: FPFN In Microsoft Defender for Endpoint, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. -Review your threat protection settings +## Review your threat protection settings + Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - Cloud-delivered protection @@ -112,13 +113,17 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. -## Review or define indicators +### Indicators for Microsoft Defender for Endpoint *Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* -## Classify a false positive or false negative +To specify files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. "Allow" indicators prevent the following capabilities of Microsoft Defender for Endpoint from taking action on entities: + +- [Next-generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) + -*Need to figure out where/how this is done* ## Submit a file for analysis From 7312853d028e81efbab426af3f5c28d1240c8d34 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 14:02:28 -0800 Subject: [PATCH 052/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 684eb83488..ae042deaee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -53,7 +53,7 @@ Potentially unwanted applications (PUA) are a category of software that can caus Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. > [!TIP] -> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). #### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles @@ -119,9 +119,9 @@ In general, you should not need to define exclusions for Microsoft Defender Anti To specify files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. "Allow" indicators prevent the following capabilities of Microsoft Defender for Endpoint from taking action on entities: -- [Next-generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) -- [Endpoint detection and response](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) -- [Automated investigation & remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) From 7c5956b1042be489edae1df096f4ac0d1171fdee Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 13 Jan 2021 18:40:39 -0800 Subject: [PATCH 053/304] new article --- windows/security/threat-protection/TOC.md | 1 + ...igure-vulnerability-email-notifications.md | 93 +++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 0af4c22a60..ae036e54a1 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -478,6 +478,7 @@ #### [General]() ##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md) ##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) +##### [Configure vulnerability notifications](microsoft-defender-atp/configure-vulnerability-email-notifications.md) ##### [Configure advanced features](microsoft-defender-atp/advanced-features.md) #### [Permissions]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md new file mode 100644 index 0000000000..ba7b6f4bd7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md @@ -0,0 +1,93 @@ +--- +title: Configure vulnerability email notifications in Microsoft Defender for Endpoint +description: You can use Microsoft Defender Advanced Threat Protection to configure email notification settings for security alerts, based on severity and other criteria. +keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Configure vulnerability email notifications in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) + +Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Defender for Endpoint's [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) capability. + +> [!NOTE] +> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md) + +The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they are added. + +If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. +Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups. + +The email notification includes basic information about the vulnerability event. There are also links to filtered views in the threat and vulnerability management [Security recommendations](tvm-security-recommendation.md) and [Weaknesses](tvm-weaknesses.md) pages in the portal so you can do further investigation. + +## Create rules for alert notifications + +Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected. + +1. In the navigation pane, go to **Settings** > **Email notifications** > **Vulnerabilities**. + +2. Select **Add notification rule**. + +3. Name the email notification rule and include a description. + +4. Check **Notification enabled** to activate the notification. Select **Next** + +5. Fill in the notification settings. Then select **Next** + + - Choose device groups to get notifications for. + - Choose the vulnerability event(s) that you want to be notified about when they affect your organization. + - Options: new vulnerability found (including severity threshold), new public exploit, exploit added to an exploit kit, exploit was verified. + - Include organization name if you want the organization name in the email + +6. Enter the recipient email address then select **Add**. You can add multiple email addresses. + +7. Review the settings for the new email notification rule and select **Create rule** when you're ready to create it. + +## Edit a notification rule + +1. Select the notification rule you'd like to edit. + +2. Select the **Edit rule** button next to the pencil icon in the flyout. Make sure you have permission to edit or delete the rule. + +## Delete notification rule + +1. Select the notification rule you'd like to delete. + +2. Select the **Delete** button next to the trash can icon in the flyout. Make sure you have permission to edit or delete the rule. + +## Troubleshoot email notifications for alerts + +This section lists various issues that you may encounter when using email notifications for alerts. + +**Problem:** Intended recipients report they are not getting the notifications. + +**Solution:** Make sure that the notifications are not blocked by email filters: + +1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk. +2. Check that your email security product is not blocking the email notifications from Defender for Endpoint. +3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications. + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) From 851c458c5ff99dd87e853f72c128eef189c27e89 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 13 Jan 2021 19:00:10 -0800 Subject: [PATCH 054/304] new tip --- .../threat-and-vuln-mgt-event-timeline.md | 3 +++ .../microsoft-defender-atp/tvm-security-recommendation.md | 3 +++ .../microsoft-defender-atp/tvm-weaknesses.md | 8 ++------ 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md index 32cb4825cb..571585c5e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md @@ -32,6 +32,9 @@ Event timeline is a risk news feed that helps you interpret how risk is introduc Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) and [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) so you can determine the cause of large changes. Events can impact your devices or your score for devices. Reduce you exposure by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md). +>[!TIP] +>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md) + ## Navigate to the Event timeline page There are also three entry points from the [threat and vulnerability management dashboard](tvm-dashboard-insights.md): diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 1a7f20a55c..87e6e68dfe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -33,6 +33,9 @@ Cybersecurity weaknesses identified in your organization are mapped to actionabl Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. +>[!TIP] +>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md) + ## How it works Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index e9ead66986..71ba98489d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -35,12 +35,8 @@ The **Weaknesses** page lists the software vulnerabilities your devices are expo >[!NOTE] >If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management. ->[!IMPORTANT] ->To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: ->- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) ->- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) ->- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) ->- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +>[!TIP] +>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md) ## Navigate to the Weaknesses page From b83175dcb1eafe83648d424b07efa4bc40665622 Mon Sep 17 00:00:00 2001 From: msft-cjeich Date: Thu, 14 Jan 2021 12:17:20 -0800 Subject: [PATCH 055/304] Update web-content-filtering.md Text update to account for changes to our data provider. Also - 15 min for policy sync is incorrect. SLA should be 2hrs. Include other 3rd party browsers which NP supports. This is a server-side change which requires no client side changes. --- .../microsoft-defender-atp/web-content-filtering.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index d8daf9644c..b6d259a0f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -32,7 +32,7 @@ Web content filtering is part of [Web protection](web-protection-overview.md) ca Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource. -Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section. +Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave and Opera). For more information about browser support, see the prerequisites section. Summarizing the benefits: @@ -42,7 +42,7 @@ Summarizing the benefits: ## User experience -The blocking experience for Chrome/Firefox is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. +The blocking experience for 3rd party supported browsers is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. For a more user-friendly in-browser experience, consider using Microsoft Edge. @@ -54,11 +54,11 @@ Before trying out this feature, make sure you have the following requirements: - Access to Microsoft Defender Security Center portal - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. -If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. +If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave and Opera are currently 3rd party browsers in which the feature is enabled. ## Data handling -We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds. +We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. ## Turn on web content filtering @@ -78,7 +78,7 @@ To add a new policy: 2. Specify a name. 3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories. 4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. -5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices. +5. Review the summary and save the policy. The policy refresh may take up to 2 hours to apply to your selected devices. Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. @@ -138,7 +138,7 @@ Use the time range filter at the top left of the page to select a time period. Y ### Limitations and known issues in this preview -- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox. +- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported 3rd party browsers. - Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts. From 44c4fbf6396ca58b9b8ac058e1a73fe8902b9e9f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 13:42:27 -0800 Subject: [PATCH 056/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ae042deaee..ffdbda504e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -80,11 +80,13 @@ Depending on the apps your organization is using, you might be getting false pos An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. -To define exclusions across Microsoft Defender for Endpoint, you must perform at least two kinds of tasks: -- Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) -- Create “allow” indicators for Microsoft Defender for Endpoint () +To define exclusions across Microsoft Defender for Endpoint, you perform these two tasks: +- Define exclusions for Microsoft Defender Antivirus +- Create “allow” indicators for Microsoft Defender for Endpoint -You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. ### Exclusions for Microsoft Defender Antivirus From 2a62143a863c9cac8d8a0ed1092bcd69b5bee3c9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 13:43:08 -0800 Subject: [PATCH 057/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ffdbda504e..e6f69698aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -90,7 +90,7 @@ The procedures in this section describe how to define exclusions and indicators. ### Exclusions for Microsoft Defender Antivirus -In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions. +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. > [!TIP] > Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). From b02a689fcabe64b16fef1247e8ccc188bf8654b6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 13:51:31 -0800 Subject: [PATCH 058/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e6f69698aa..06cebc920f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -117,9 +117,9 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -*Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* +Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. -To specify files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. "Allow" indicators prevent the following capabilities of Microsoft Defender for Endpoint from taking action on entities: +To specify entities, such as files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) From 49b4a9cf0bf746ff8518710c2898c518af0caf3a Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 14 Jan 2021 13:57:38 -0800 Subject: [PATCH 059/304] updated details --- .../configure-vulnerability-email-notifications.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md index ba7b6f4bd7..5c24aa1ae7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md @@ -1,6 +1,6 @@ --- title: Configure vulnerability email notifications in Microsoft Defender for Endpoint -description: You can use Microsoft Defender Advanced Threat Protection to configure email notification settings for security alerts, based on severity and other criteria. +description: Use Microsoft Defender for Endpoint to configure email notification settings for vulnerability events. keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -36,7 +36,7 @@ The notification rules allow you to set the vulnerability events that trigger no If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups. -The email notification includes basic information about the vulnerability event. There are also links to filtered views in the threat and vulnerability management [Security recommendations](tvm-security-recommendation.md) and [Weaknesses](tvm-weaknesses.md) pages in the portal so you can do further investigation. +The email notification includes basic information about the vulnerability event. There are also links to filtered views in the threat and vulnerability management [Security recommendations](tvm-security-recommendation.md) and [Weaknesses](tvm-weaknesses.md) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability. ## Create rules for alert notifications From 558c597ae5ad9918710b3508881b980bc409a785 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 14 Jan 2021 14:11:31 -0800 Subject: [PATCH 060/304] new support --- .../microsoft-defender-atp/tvm-supported-os.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index d466083c34..3b2d975822 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -37,9 +37,9 @@ Before you begin, ensure that you meet the following operating system or platfor Operating system | Security assessment support :---|:--- Windows 7 | Operating System (OS) vulnerabilities -Windows 8.1 | Not supported -Windows 10 1607-1703 | Operating System (OS) vulnerabilities -Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment +Windows 8.1 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment | +Windows 10, versions 1607-1703 | Operating System (OS) vulnerabilities +Windows 10, version 1709 or later |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment From 8dcc9193719eca758c78c4a28af7ed1b7508ebff Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 14:13:59 -0800 Subject: [PATCH 061/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 06cebc920f..7b10b4055e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -119,13 +119,18 @@ In general, you should not need to define exclusions for Microsoft Defender Anti Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. -To specify entities, such as files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: +To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) +You can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): +- [Learn more about indicators](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-file) +- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) +- [Create an indicator for an application certificate](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) ## Submit a file for analysis From 686d53ec8af732d9193d252fbcdd800446163efa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 14:21:59 -0800 Subject: [PATCH 062/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7b10b4055e..870ce280d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -132,6 +132,9 @@ You can create indicators for files, IP addresses, URLs, domains, and certificat - [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) - [Create an indicator for an application certificate](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) +> [!TIP] +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. + ## Submit a file for analysis *https://www.microsoft.com/wdsi/filesubmission/* From e371bbcd198bee71ae509467d145686035ea23f8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 15:21:53 -0800 Subject: [PATCH 063/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 870ce280d6..21a9dffad4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -119,21 +119,30 @@ In general, you should not need to define exclusions for Microsoft Defender Anti Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: +To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -You can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): -- [Learn more about indicators](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-file) -- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) -- [Create an indicator for an application certificate](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) +- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) +- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) +- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) > [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the information, including prerequisites, + +## Classify a false positive or false negative + +### Suppress alerts for a false positive + +To suppress an alert, you create an alert suppression rule. + +1. Go to the Microsoft Defender Security Center () + ## Submit a file for analysis From 593e88abae3a0d4d650d43d98d09f6e9d9d2fdb5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 15:32:05 -0800 Subject: [PATCH 064/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 21a9dffad4..ee2d488676 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -137,12 +137,17 @@ Your security team can create indicators for files, IP addresses, URLs, domains, ## Classify a false positive or false negative -### Suppress alerts for a false positive +### Classify an alert as a false positive -To suppress an alert, you create an alert suppression rule. +Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. -1. Go to the Microsoft Defender Security Center () +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert that is a false positive. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. +> [!TIP] +> For more details about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). ## Submit a file for analysis From b4a2125bc097ea67e3ba0aa56316323feb1c81a4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 11:38:36 -0800 Subject: [PATCH 065/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ee2d488676..5f0e8172e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -137,6 +137,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains, ## Classify a false positive or false negative +As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Suppress an alert + + + ### Classify an alert as a false positive Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. From 33bdd42057de9d1c7d326fedfbf3c1ed59ab24f2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 11:43:57 -0800 Subject: [PATCH 066/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5f0e8172e9..2a143eeeca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In Microsoft Defender for Endpoint, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. ## Review your threat protection settings From 03455cece21ba363366bd6962c0a8b62a5251de8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 11:53:37 -0800 Subject: [PATCH 067/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2a143eeeca..5e214daece 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,11 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: +- Reviewing your threat protection settings and making adjustments where needed +- + +If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. ## Review your threat protection settings From 5eddcebd712edab6b9dd9822886e3e4571db2c3d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:06:56 -0800 Subject: [PATCH 068/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5e214daece..7e8b9fe917 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,11 +31,14 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: -- Reviewing your threat protection settings and making adjustments where needed -- +In endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: +- [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); +- [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); +- [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); +- [Submitting files for further analysis](#submit-a-file-for-analysis); and +- [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). -If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +If you’re using Microsoft Defender for Endpoint, and you're seeing false positives/negatives in your Microsoft Defender Security Center, use this article as a guide to take action. ## Review your threat protection settings From 19182cc41478da89fd15c381c01a4c9f80ff1cdd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:15:08 -0800 Subject: [PATCH 069/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7e8b9fe917..a77c24e5c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -38,7 +38,7 @@ In endpoint protection, a false positive is an entity, such as a file or process - [Submitting files for further analysis](#submit-a-file-for-analysis); and - [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). -If you’re using Microsoft Defender for Endpoint, and you're seeing false positives/negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. ## Review your threat protection settings @@ -168,4 +168,6 @@ Your security team can classify an alert as a false positive in the Microsoft De ## Confirm your software uses EV code signing -*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* \ No newline at end of file +*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* + +## Still need help? \ No newline at end of file From b76685aa6938c547cafd7b397aa2e606759fc87d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:22:20 -0800 Subject: [PATCH 070/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index a77c24e5c2..1881a1f688 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -42,7 +42,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w ## Review your threat protection settings -Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - Cloud-delivered protection - Remediation for potentially unwanted apps (PUA) @@ -85,13 +85,13 @@ Depending on the apps your organization is using, you might be getting false pos ## Review or define exclusions for Microsoft Defender for Endpoint -An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. +An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. -To define exclusions across Microsoft Defender for Endpoint, you perform these two tasks: +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: - Define exclusions for Microsoft Defender Antivirus - Create “allow” indicators for Microsoft Defender for Endpoint -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. From 04ec92cf634ec8ddfb09c0ba1692039b10f1ff4a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:41:26 -0800 Subject: [PATCH 071/304] Update defender-endpoint-false-positives-negatives.md --- ...defender-endpoint-false-positives-negatives.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1881a1f688..8db2bfbd67 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -51,7 +51,20 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. -See [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +We recommend using Microsoft Endpoint Manager to edit your cloud-delivered protection settings. + +#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose Endpoint security > Antivirus and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +5. Choose **Review + save**, and then **Save**. + + + +> [!TIP] +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) ### Remediation for potentially unwanted applications (PUA) From 05b7341aee7a6b1c2d39f90f5eebe8fc9adc5f9c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:42:15 -0800 Subject: [PATCH 072/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8db2bfbd67..1a74f33fa5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -56,12 +56,12 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose Endpoint security > Antivirus and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. - +#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) From cdd241e8d99345b9797dfc7a4175c2b2b0236976 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:49:22 -0800 Subject: [PATCH 073/304] Update TOC.md --- windows/security/threat-protection/TOC.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 4fd85c48d2..d64cf954ff 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -508,6 +508,8 @@ #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) +### [Address false positives/negatives in Microsoft Defender for Endpoint](microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) + ### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md) ## Reference From cdde314ed51395c2fc9aee94d6fcdbff2fbedbb2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:49:34 -0800 Subject: [PATCH 074/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1a74f33fa5..22e7b90793 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -63,6 +63,8 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy + + > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) From 68ea7ac163b7f95c072adcbad71e11f583111b3e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 13:28:26 -0800 Subject: [PATCH 075/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 22e7b90793..1ef9284ac9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -44,8 +44,8 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: -- Cloud-delivered protection -- Remediation for potentially unwanted apps (PUA) +- [Cloud-delivered protection](#cloud-delivered-protection) +- [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA) ### Cloud-delivered protection @@ -55,11 +55,11 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). -3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. -4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. -5. Choose **Review + save**, and then **Save**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). +3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +5. Choose **Review + save**, and then **Save**. #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy From 9422afe00f6e835c8fbc33b7259acc60f144d893 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 13:43:24 -0800 Subject: [PATCH 076/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1ef9284ac9..cfe7df33b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -38,7 +38,7 @@ In endpoint protection, a false positive is an entity, such as a file or process - [Submitting files for further analysis](#submit-a-file-for-analysis); and - [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). -If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. ## Review your threat protection settings @@ -63,7 +63,8 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy - +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) From a25292e549f421e316dc663adfa53259a74c9e1a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 13:59:55 -0800 Subject: [PATCH 077/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index cfe7df33b6..c0b9058440 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -64,7 +64,14 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. +2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**. +3. For **Platform**, select an option, and then for **Profile**, select **Antivirus** or **Microsoft Defender Antivirus** (the specific option depends on what you selected for **Platform**.) Then choose **Create**. +4. On the **Basics** tab, specify a name and description for the policy. Then choose **Next**. +5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: + - Set **Turn on cloud-delivered protection** to **Yes**. + - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) +6. On the **Scope tags** tab, + > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) @@ -135,7 +142,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 5. Specify a name and description for the profile, and then choose **Next**. 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. 7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) -8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. ### Indicators for Microsoft Defender for Endpoint From 07713c98772ee3af4565a1b149553e519daf4dd1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:02:25 -0800 Subject: [PATCH 078/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index c0b9058440..41a001d354 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -51,6 +51,9 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. +> [!TIP] +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) + We recommend using Microsoft Endpoint Manager to edit your cloud-delivered protection settings. #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings @@ -70,11 +73,12 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: - Set **Turn on cloud-delivered protection** to **Yes**. - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) -6. On the **Scope tags** tab, +6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + -> [!TIP] -> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) ### Remediation for potentially unwanted applications (PUA) From 70896026c3c8aede5837401ed9e3ef30efdd2c84 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:08:28 -0800 Subject: [PATCH 079/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 41a001d354..60b333fb5f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -77,9 +77,6 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. - - - ### Remediation for potentially unwanted applications (PUA) Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. @@ -175,6 +172,8 @@ As alerts are triggered, if you see something that was detected as malicious or ### Suppress an alert +You can suppress an alert in the Microsoft Defender Security Center. + ### Classify an alert as a false positive From c89b09bdf3e1c53a30105dd41db70db9dfc2d9d2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:13:56 -0800 Subject: [PATCH 080/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 60b333fb5f..b9a77466b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -103,7 +103,7 @@ Depending on the apps your organization is using, you might be getting false pos 4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. 5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. 6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn PUA protection off, but by using audit mode, you will be able to see detections.) -7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. From 04b09667e6a2174745db3d5891431b0466f6844a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:22:26 -0800 Subject: [PATCH 081/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b9a77466b5..1ea52853e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -42,7 +42,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w ## Review your threat protection settings -Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - [Cloud-delivered protection](#cloud-delivered-protection) - [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA) @@ -73,7 +73,7 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: - Set **Turn on cloud-delivered protection** to **Yes**. - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) -6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. @@ -138,7 +138,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. -3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). 4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. 5. Specify a name and description for the profile, and then choose **Next**. 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. From e3b8b22f857727ef5deb18bd5f8ad38e72aaa5c8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:23:04 -0800 Subject: [PATCH 082/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1ea52853e9..4e7efcd55a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -102,7 +102,7 @@ Depending on the apps your organization is using, you might be getting false pos 3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**. 4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. 5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. -6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn PUA protection off, but by using audit mode, you will be able to see detections.) +6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn off PUA protection, but by using audit mode, you will be able to see detections.) 7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. @@ -115,7 +115,7 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi - Define exclusions for Microsoft Defender Antivirus - Create “allow” indicators for Microsoft Defender for Endpoint -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. @@ -186,7 +186,7 @@ Your security team can classify an alert as a false positive in the Microsoft De 4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. > [!TIP] -> For more details about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). ## Submit a file for analysis From a0d3c8e46811e7101948011a7789634861d87425 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:33:09 -0800 Subject: [PATCH 083/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4e7efcd55a..e022ecd644 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -156,7 +156,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): - [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) - [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) From 85f16c130ea0dc4a512631922c48d838936c6249 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:34:27 -0800 Subject: [PATCH 084/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e022ecd644..e6352c7739 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity is not actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: - [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); - [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); - [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); From 829d15f748361815e2953a10f2b33726c5a13c5b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:36:34 -0800 Subject: [PATCH 085/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e6352c7739..d1a1651c05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity is not actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: - [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); - [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); - [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); From 13ea23be0e54cf823514a89cb1e7aae5e518520b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:37:49 -0800 Subject: [PATCH 086/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d1a1651c05..692b8001f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,9 +54,9 @@ Check your cloud-delivered protection level for Microsoft Defender Antivirus. By > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) -We recommend using Microsoft Endpoint Manager to edit your cloud-delivered protection settings. +We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings. -#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings +#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). @@ -64,7 +64,7 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. -#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy +#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**. From d1f235b8097193002b28a4845aca1a6684d95a19 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:39:35 -0800 Subject: [PATCH 087/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 692b8001f3..79bd50bdb6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -77,16 +77,18 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. -### Remediation for potentially unwanted applications (PUA) +### Remediation for potentially unwanted applications Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. +We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings. + > [!TIP] > To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). -#### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles +#### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile)). @@ -95,7 +97,7 @@ Depending on the apps your organization is using, you might be getting false pos 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) 6. Choose **Review + save**, and then choose **Save**. -#### Use Microsoft Endpoint Manager to set PUA protection for a new configuration profile +#### Use Microsoft Endpoint Manager to set PUA protection (for a new configuration profile) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. From f4e06d3edda8d7e7463982471adf3c7d6758f10c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:43:30 -0800 Subject: [PATCH 088/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 79bd50bdb6..945fa7046e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -59,7 +59,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)). 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. @@ -91,7 +91,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett #### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile)). +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).) 3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. 4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) From 491246ff122991f20713e366ac4ec1f680b9c3fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:06:40 -0800 Subject: [PATCH 089/304] Update defender-endpoint-false-positives-negatives.md --- ...fender-endpoint-false-positives-negatives.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 945fa7046e..5bdb3bdb43 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -114,8 +114,8 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: -- Define exclusions for Microsoft Defender Antivirus -- Create “allow” indicators for Microsoft Defender for Endpoint +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. @@ -128,15 +128,15 @@ In general, you should not need to define exclusions for Microsoft Defender Anti > [!TIP] > Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). -#### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-an-antivirus-policy-with-exclusions)). +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). 3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. 4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. 5. Choose **Review + save**, and then choose **Save**. -#### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. @@ -150,7 +150,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: @@ -176,7 +176,10 @@ As alerts are triggered, if you see something that was detected as malicious or You can suppress an alert in the Microsoft Defender Security Center. - +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. ### Classify an alert as a false positive From 212169b3961958a332cc25fb70c2bcd29574198e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:14:08 -0800 Subject: [PATCH 090/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5bdb3bdb43..573573fee3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -179,7 +179,11 @@ You can suppress an alert in the Microsoft Defender Security Center. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. 3. Select an alert that you want to suppress to open its **Details** pane. -4. +4. In the **Details** pane, choose the ellipsis (`...`), and then choose **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). ### Classify an alert as a false positive From 9e0135d6f6a59131cb024d703f52e3a92b8f46bb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:25:45 -0800 Subject: [PATCH 091/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 573573fee3..eb27f493c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -195,11 +195,16 @@ Your security team can classify an alert as a false positive in the Microsoft De 4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. > [!TIP] -> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). +> - For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). +> - If your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. ## Submit a file for analysis -*https://www.microsoft.com/wdsi/filesubmission/* +You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). + +2. Visit the Microsoft Security Intelligence submission site at [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission), and submit your file(s). ## Confirm your software uses EV code signing From 6492201cda1c123429423f82730c684011c90521 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:34:23 -0800 Subject: [PATCH 092/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index eb27f493c0..d6efaf4c7c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,6 +208,8 @@ You can submit files, such as false positives or false negatives, to Microsoft f ## Confirm your software uses EV code signing +As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. + *Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* ## Still need help? \ No newline at end of file From 0d77afe588ae2158bf2495fc44e7e9a10c0ba20f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:36:11 -0800 Subject: [PATCH 093/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d6efaf4c7c..9894246277 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -200,7 +200,7 @@ Your security team can classify an alert as a false positive in the Microsoft De ## Submit a file for analysis -You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. +You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. 1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). From 6e94b9e5ea0af085ae814ffae0b05de0f714418e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:41:02 -0800 Subject: [PATCH 094/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9894246277..566483d5ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,7 +208,7 @@ You can submit files, such as false positives or false negatives, to Microsoft f ## Confirm your software uses EV code signing -As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. +As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. *Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* From 1f7a3c6aed3a8baddd7a7949e51c9779f114e90a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:45:25 -0800 Subject: [PATCH 095/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 566483d5ad..8ccb2a1464 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,7 +208,7 @@ You can submit files, such as false positives or false negatives, to Microsoft f ## Confirm your software uses EV code signing -As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. +As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. *Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* From 8e578d849a19ec35472d887e21d229914248975a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:49:01 -0800 Subject: [PATCH 096/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8ccb2a1464..5fd958105a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -210,6 +210,9 @@ You can submit files, such as false positives or false negatives, to Microsoft f As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. -*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* +Want to learn more? See the following resources: + +- [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/) +- [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate) ## Still need help? \ No newline at end of file From 1850364615dcad85b73c3acc1695fe72e86a6711 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 16:01:55 -0800 Subject: [PATCH 097/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5fd958105a..20d9296951 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -215,4 +215,10 @@ Want to learn more? See the following resources: - [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/) - [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate) -## Still need help? \ No newline at end of file +## Still need help? + +If you still need help after working through all the steps in this article, your best bet is to contact technical support. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. +3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. \ No newline at end of file From 55266f36a6982d43f1fb1942165eb0d78873efae Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 16:03:50 -0800 Subject: [PATCH 098/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 20d9296951..c0cf213302 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: - [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); - [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); - [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); From ce22afb841af4e3c5fbd31bf252c12c22eb5ecb4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 16:04:36 -0800 Subject: [PATCH 099/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index c0cf213302..372f40c539 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -204,7 +204,7 @@ You can submit files, such as false positives or false negatives, to Microsoft f 1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). -2. Visit the Microsoft Security Intelligence submission site at [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission), and submit your file(s). +2. Visit the Microsoft Security Intelligence submission ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). ## Confirm your software uses EV code signing From 5893f5768835f358ad7dae1824a2cbaa12a1975c Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 17 Jan 2021 14:42:06 +0500 Subject: [PATCH 100/304] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-authored-by: mapalko --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index ba1692b00e..8570ec4a63 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to use a third-party Multi-Factor Authentication provider. +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multifactor Authentication through the use of security defaults. Some Azure AD Multifactor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 97136cf8c9ec2eba91ce0020b387d55baaeb0532 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 17 Jan 2021 14:47:53 +0500 Subject: [PATCH 101/304] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 8570ec4a63..449642dfe7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multifactor Authentication through the use of security defaults. Some Azure AD Multifactor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From a000c63a559273bb537cab48c9b29396640984a0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Jan 2021 11:32:59 -0800 Subject: [PATCH 102/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 372f40c539..7b7d214f5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/15/2021 +ms.date: 01/19/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -52,7 +52,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. > [!TIP] -> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus). We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings. From 590d25d31b798511becfa79d2b5a3d675cfbfc90 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Jan 2021 12:07:38 -0800 Subject: [PATCH 103/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7b7d214f5c..ec326b2612 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -150,7 +150,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: From 273dd4589a029b55cba7ce0795732b721f4c50fc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Jan 2021 12:09:11 -0800 Subject: [PATCH 104/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ec326b2612..aa6c823ab6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -152,7 +152,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: +To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) From 2614a6dcebeef0d92a5c8245e4b797048e11cc14 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 20 Jan 2021 18:33:17 +0500 Subject: [PATCH 105/304] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 449642dfe7..0c252830e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 576057ec5bce89bcafe9d656d7ba013088bbf163 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 20 Jan 2021 18:36:10 +0500 Subject: [PATCH 106/304] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 0c252830e7..cb3a0081f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From c466bf04c640455788b97a07d5a031617adb1a85 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:47:46 -0800 Subject: [PATCH 107/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index aa6c823ab6..473172524a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -166,7 +166,15 @@ Your security team can create indicators for files, IP addresses, URLs, domains, - [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) > [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the information, including prerequisites, +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +| Indicator type | Prerequisites | Notes | +|----|----|---| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.

Your antimalware client version is must be 4.18.1901.x or later.

Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | + + + + ## Classify a false positive or false negative From 5eb90ebe273a332b300d734c429c492da1382cb3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:51:21 -0800 Subject: [PATCH 108/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 473172524a..b8a979b127 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -171,6 +171,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | Notes | |----|----|---| |Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.

Your antimalware client version is must be 4.18.1901.x or later.

Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | + + + + + From e8f163965b5dbb0b5d731d0be21fe66ffd47d26e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:58:24 -0800 Subject: [PATCH 109/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b8a979b127..8122abd1da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -170,8 +170,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | Notes | |----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.

Your antimalware client version is must be 4.18.1901.x or later.

Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | | IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | + + + From 66c7569f3377716bba0b8e5e9afad6a8308ddb6c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:59:26 -0800 Subject: [PATCH 110/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8122abd1da..f5ce4cceed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -172,7 +172,8 @@ Your security team can create indicators for files, IP addresses, URLs, domains, |----|----|---| |Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | | IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | + From 08442412663eeb9785fb3a9a1d189c1f0b2dd354 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:59:58 -0800 Subject: [PATCH 111/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f5ce4cceed..5d51a6f36d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -174,19 +174,6 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | | Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | - - - - - - - - - - - - - ## Classify a false positive or false negative As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. From 0b2d7ab3e403ea122bd6e5aa85b23cc645cdb053 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:08:22 -0800 Subject: [PATCH 112/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5d51a6f36d..2242561c26 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/19/2021 +ms.date: 01/21/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro From f58a1d313db4131878d90d90a046a0bf8977b0d2 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 21 Jan 2021 19:07:44 +0530 Subject: [PATCH 113/304] changed minutes to seconds as per user report #8995 , so i changed minutes to seconds i took help from below site **https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-asprov/7dcdd2c3-43ca-4425-b8d4-443b1d2c0638** --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index f68a71f820..b106637736 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -677,7 +677,7 @@ The following list shows the supported values: -Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. +Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. * On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. * On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy. From 704a3a87252a456ce34bc8242c86ddec26dbdb1c Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 21 Jan 2021 21:30:59 +0200 Subject: [PATCH 114/304] add info about network boundary https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8880 --- .../md-app-guard-overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 98150e0f15..0c47055df2 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,3 +52,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| From 4d281e31d100e182c94040de6bbde8ee1a8202b9 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 21 Jan 2021 12:54:14 -0800 Subject: [PATCH 115/304] Update waas-delivery-optimization.md Add Edge browser support to content type table. --- windows/deployment/update/waas-delivery-optimization.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index de5f866595..7337c717c1 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -65,7 +65,7 @@ For information about setting up Delivery Optimization, including tips for the b - Office installations and updates - Xbox game pass games - MSIX apps (HTTP downloads only) - - Edge browser installations and updates + - Edge browser installs and updates ## Requirements @@ -90,7 +90,8 @@ The following table lists the minimum Windows 10 version that supports Delivery | Win32 apps for Intune | 1709 | | Xbox game pass games | 2004 | | MSIX apps (HTTP downloads only) | 2004 | -| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | +| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | +| Edge browser installs and updates | 1809 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From 1e96248e32a1da6172b1b24587481405dba6c81c Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 21 Jan 2021 20:01:51 -0800 Subject: [PATCH 116/304] Update waas-delivery-optimization.md Add Dynamic updates support --- windows/deployment/update/waas-delivery-optimization.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 7337c717c1..599fd37ab1 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -62,10 +62,11 @@ For information about setting up Delivery Optimization, including tips for the b - DOMaxUploadBandwidth - Support for new types of downloads: - - Office installations and updates + - Office installs and updates - Xbox game pass games - MSIX apps (HTTP downloads only) - Edge browser installs and updates + - Dynamic updates ## Requirements @@ -92,6 +93,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | MSIX apps (HTTP downloads only) | 2004 | | Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | | Edge browser installs and updates | 1809 | +| Dynamic updates | 1903 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From f7b513116952b788788b1856b6fc3ed945558a00 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:14:46 -0800 Subject: [PATCH 117/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2242561c26..1083895ed8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/21/2021 +ms.date: 01/22/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro From cc97ce85b1d8549daebc662e47e134c7f1df2b32 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:27:52 -0800 Subject: [PATCH 118/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 95 +++++++++++++++++-- 1 file changed, 89 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1083895ed8..0a7de859a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,15 +31,98 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: -- [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); -- [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); -- [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); -- [Submitting files for further analysis](#submit-a-file-for-analysis); and -- [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: + +1. Reviewing and classifying alerts +2. Reviewing remediation actions that were taken +3. Reviewing and defining exclusions +4. Submitting an entity for analysis +5. Reviewing your threat protection settings If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +## Review and classify alerts + +If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed. + +Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Determine whether an alert is accurate + +Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. +1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in. +2. In the navigation pane, choose **Alerts queue**. +3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) +4. Take one of the following steps: + - If the alert is accurate, assign and investigate the alert further. + - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. + - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. + +### Classify an alert as a false positive + +Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert that is a false positive. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. + +> [!TIP] +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. + +### Suppress an alert + +If you have alerts that are either false positives or are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. In the **Details** pane, choose the ellipsis (**...**), and then choose **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). + +## Review remediation actions + +[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include: +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Disable a driver +- Remove a scheduled task + +Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. + +### Review completed actions + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select an item to view more details about the remediation action that was taken. + +If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. Remediation actions that you can undo include the following: +- Isolate device +- Restrict code execution +- Quarantine a file +- Remove a registry key +- Stop a service +- Disable a driver +- Remove a scheduled task + +### To undo an action + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select an action that you want to undo. +3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.) + +### To undo multiple actions at one time + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select the actions that you want to undo. +3. In the pane on the right side of the screen, select **Undo**. + + ## Review your threat protection settings Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: From a5c3e6656d506074a70daafa4d2842b74139b586 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:29:36 -0800 Subject: [PATCH 119/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 130 +++++++++--------- 1 file changed, 66 insertions(+), 64 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 0a7de859a9..4f8b62add6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -122,6 +122,72 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. +## Review or define exclusions for Microsoft Defender for Endpoint + +An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) + +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. + +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Indicators for Microsoft Defender for Endpoint + +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. + +To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) + +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): + +- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) +- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) +- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) + +> [!TIP] +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +| Indicator type | Prerequisites | Notes | +|----|----|---| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | + + ## Review your threat protection settings @@ -192,70 +258,6 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. -## Review or define exclusions for Microsoft Defender for Endpoint - -An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. - -To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: -- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) -- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) - -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. - -The procedures in this section describe how to define exclusions and indicators. - -### Exclusions for Microsoft Defender Antivirus - -In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. - -> [!TIP] -> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). - -#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) - -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). -3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. -4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. -5. Choose **Review + save**, and then choose **Save**. - -#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions - -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. -3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). -4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. -5. Specify a name and description for the profile, and then choose **Next**. -6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. -7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) -8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) -9. On the **Review + create** tab, review the settings, and then choose **Create**. - -### Indicators for Microsoft Defender for Endpoint - -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. - -To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: - -- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) -- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) -- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) - -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): - -- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) -- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) -- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) - -> [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). - -| Indicator type | Prerequisites | Notes | -|----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | ## Classify a false positive or false negative From 4cb7b0ff725dc24fdb77c1f92523830eada4333f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:49:02 -0800 Subject: [PATCH 120/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 111 ++++++++---------- 1 file changed, 47 insertions(+), 64 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4f8b62add6..cb0ee4077d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,7 +33,7 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: -1. Reviewing and classifying alerts +1. [Reviewing and classifying alerts](#review-and-classify-alerts) 2. Reviewing remediation actions that were taken 3. Reviewing and defining exclusions 4. Submitting an entity for analysis @@ -47,10 +47,12 @@ If your security operations team see an alert that was triggered because somethi Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + ### Determine whether an alert is accurate Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. -1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) 4. Take one of the following steps: @@ -60,7 +62,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat ### Classify an alert as a false positive -Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. +Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the **Alerts queue**. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Select **Alerts queue**, and then select an alert that is a false positive. @@ -110,13 +112,13 @@ If you find that a remediation action was taken automatically on an entity that - Disable a driver - Remove a scheduled task -### To undo an action +### Undo an action 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select an action that you want to undo. 3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.) -### To undo multiple actions at one time +### Undo multiple actions at one time 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select the actions that you want to undo. @@ -163,7 +165,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: @@ -171,23 +173,52 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) -- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) -- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) +| Indicator type | Prerequisites | Notes | +|----|----|---| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). -| Indicator type | Prerequisites | Notes | -|----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | +## Submit a file for analysis +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. +### Submit a file for analysis + +If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). + +### Submit a fileless detection for analysis + +If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. + +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run ** MpCmdRun.exe** as an administrator. +2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. + A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. +3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files. + +### What happens after a file is submitted? + +Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It’s possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly. + +For submissions that were not already processed, they are prioritized for analysis as follows: + +- Prevalent files with the potential to impact large numbers of computers are given a higher priority. +- Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given a higher priority. +- Submissions flagged as high priority by SAID holders are given immediate attention. + +To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission). + +> [!TIP] +> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). ## Review your threat protection settings @@ -258,54 +289,6 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. - -## Classify a false positive or false negative - -As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. - -### Suppress an alert - -You can suppress an alert in the Microsoft Defender Security Center. - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. In the navigation pane, select **Alerts queue**. -3. Select an alert that you want to suppress to open its **Details** pane. -4. In the **Details** pane, choose the ellipsis (`...`), and then choose **Create a suppression rule**. -5. Specify all the settings for your suppression rule, and then choose **Save**. - -> [!TIP] -> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). - -### Classify an alert as a false positive - -Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. Select **Alerts queue**, and then select an alert that is a false positive. -3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. -4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. - -> [!TIP] -> - For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). -> - If your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. - -## Submit a file for analysis - -You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. - -1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). - -2. Visit the Microsoft Security Intelligence submission ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). - -## Confirm your software uses EV code signing - -As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. - -Want to learn more? See the following resources: - -- [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/) -- [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate) - ## Still need help? If you still need help after working through all the steps in this article, your best bet is to contact technical support. From 5b04617b295d16a1106326c79c481534acd475fe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:50:56 -0800 Subject: [PATCH 121/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index cb0ee4077d..69d5634efb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -19,7 +19,7 @@ ms.collection: - m365-security-compliance - m365initiative-defender-endpoint ms.topic: conceptual -ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola ms.custom: FPFN --- @@ -34,10 +34,10 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: 1. [Reviewing and classifying alerts](#review-and-classify-alerts) -2. Reviewing remediation actions that were taken -3. Reviewing and defining exclusions -4. Submitting an entity for analysis -5. Reviewing your threat protection settings +2. [Reviewing remediation actions that were taken](#review-remediation-actions) +3. [Reviewing and defining exclusions](#review-or-define-exclusions-for-microsoft-defender-for-endpoint) +4. [Submitting an entity for analysis](#submit-a-file-for-analysis) +5. [Reviewing your threat protection settings](#review-your-threat-protection-settings) If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. From af20c1f8c8f7088cdd22e4c189ab37f64fcfc0f4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:53:42 -0800 Subject: [PATCH 122/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 69d5634efb..dd7dfd3caa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -103,7 +103,7 @@ Other actions, such as starting an antivirus scan or collecting an investigation 2. Select the **History** tab. 3. Select an item to view more details about the remediation action that was taken. -If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. Remediation actions that you can undo include the following: +If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. You can undo the following remediation actions: - Isolate device - Restrict code execution - Quarantine a file @@ -178,7 +178,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | Notes | |----|----|---| |Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | | Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | > [!TIP] From 5596fcc20ce34f2ef0ec31a0c5f2112e18140cd4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:54:20 -0800 Subject: [PATCH 123/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index dd7dfd3caa..977f0216f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -4,8 +4,8 @@ description: Learn how to handle false positives or false negatives in Microsoft keywords: alert, exclusion, defender atp, false positive, false negative search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security From 384d221117fb45f3da607eb5d2c907d3284f4c6e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:58:11 -0800 Subject: [PATCH 124/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 977f0216f7..820e4412bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -175,11 +175,11 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -| Indicator type | Prerequisites | Notes | -|----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | +| Indicator type | Prerequisites | +|:----|:----| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file).

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From e06f4cba036a2a9599136aff2de740050b8168ac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:59:20 -0800 Subject: [PATCH 125/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 820e4412bb..81d6258ac3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -177,8 +177,8 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file).

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] From 5912f7dd084c88e5e4b1af9e08edbecbdb101b71 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:59:45 -0800 Subject: [PATCH 126/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 81d6258ac3..9e6d2a7b81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -179,7 +179,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, |:----|:----| |**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | | **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From bfee91e04c29c9cb209372e135e9a521d8109666 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:00:49 -0800 Subject: [PATCH 127/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9e6d2a7b81..6f17620125 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -177,7 +177,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | | **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **Certificates**

`.CER` or `.PEM` file extensions are supported.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | From da2f03ef717aa23a0e3a86c7f81ee598a4ba9ddf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:04:10 -0800 Subject: [PATCH 128/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 6f17620125..2896e64818 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,21 +33,20 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: -1. [Reviewing and classifying alerts](#review-and-classify-alerts) -2. [Reviewing remediation actions that were taken](#review-remediation-actions) -3. [Reviewing and defining exclusions](#review-or-define-exclusions-for-microsoft-defender-for-endpoint) -4. [Submitting an entity for analysis](#submit-a-file-for-analysis) -5. [Reviewing your threat protection settings](#review-your-threat-protection-settings) +1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) +2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) +3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) +4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Reviewing your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. -## Review and classify alerts +## Part 1: Review and classify alerts If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed. Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. - ### Determine whether an alert is accurate Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. @@ -85,7 +84,7 @@ If you have alerts that are either false positives or are for unimportant events > [!TIP] > Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). -## Review remediation actions +## Part 2: Review remediation actions [Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include: - Quarantine a file @@ -124,7 +123,7 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. -## Review or define exclusions for Microsoft Defender for Endpoint +## Part 3: Review or define exclusions for Microsoft Defender for Endpoint An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. @@ -184,7 +183,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). -## Submit a file for analysis +## Part 4: Submit a file for analysis You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. @@ -220,7 +219,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi > [!TIP] > To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). -## Review your threat protection settings +## Part 5: Review and adjust your threat protection settings Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: From 21b877a8f0c60800a12928292c28c5fb344975d0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:08:15 -0800 Subject: [PATCH 129/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2896e64818..8061a0af30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -176,9 +176,9 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 88a45ee671d150a2c6f0450362b878debfd7df74 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:09:24 -0800 Subject: [PATCH 130/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8061a0af30..5b2bb0e35f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -178,7 +178,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, |:----|:----| |**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | | **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 616ad2ad31e4cbb6c8c9511d36dc7a7aff9150b9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:10:00 -0800 Subject: [PATCH 131/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5b2bb0e35f..b7016cc7ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -37,7 +37,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) 3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) -5. [Reviewing your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) +5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. From 244dc8bbb5d5464dea2fe6390c906766bc36e622 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Fri, 22 Jan 2021 13:09:33 -0800 Subject: [PATCH 132/304] Update waas-delivery-optimization.md Add link to Dynamic Updates blog post. --- windows/deployment/update/waas-delivery-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 599fd37ab1..bbafcf8b44 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -66,7 +66,7 @@ For information about setting up Delivery Optimization, including tips for the b - Xbox game pass games - MSIX apps (HTTP downloads only) - Edge browser installs and updates - - Dynamic updates + - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) ## Requirements @@ -93,7 +93,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | MSIX apps (HTTP downloads only) | 2004 | | Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | | Edge browser installs and updates | 1809 | -| Dynamic updates | 1903 | +| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From 99e5ed848cfe0fd4aec8adcd57b8f85e02c0f637 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:45:39 -0800 Subject: [PATCH 133/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b7016cc7ba..0a4832febe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -43,7 +43,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w ## Part 1: Review and classify alerts -If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed. +If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. @@ -54,7 +54,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Take one of the following steps: +4. Take one of the following steps:
- If the alert is accurate, assign and investigate the alert further. - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. @@ -294,4 +294,9 @@ If you still need help after working through all the steps in this article, your 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. -3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. \ No newline at end of file +3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. + +## See also + +[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) + \ No newline at end of file From f508a1704b5862d2f228eaeef81762e2134cc59d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:47:49 -0800 Subject: [PATCH 134/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 0a4832febe..a05b00432f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,10 +54,10 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Take one of the following steps:
- - If the alert is accurate, assign and investigate the alert further. - - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. - - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. +4. Take one of the following steps:
+ - If the alert is accurate, assign and investigate the alert further. + - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. + - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. ### Classify an alert as a false positive From f143d389fc4fe91e7feccc6d6986f9642b7b5443 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:56:42 -0800 Subject: [PATCH 135/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index a05b00432f..e21d65054d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: 1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) @@ -39,7 +39,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) -If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. ## Part 1: Review and classify alerts @@ -55,18 +55,21 @@ Before you classify or suppress an alert, determine whether the alert is accurat 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) 4. Take one of the following steps:
- - If the alert is accurate, assign and investigate the alert further. - - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. - - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. -### Classify an alert as a false positive + | Alert status | What to do | + |:---|:---| + | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | + | The alert is a false positive | Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

Also, create an indicator for Microsoft Defender for Endpoint. | + | The alert is accurate but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | -Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the **Alerts queue**. +### Classify an alert + +Your security team can classify an alert as a false positive or a true positive in the Microsoft Defender Security Center, in the **Alerts queue**. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Select **Alerts queue**, and then select an alert that is a false positive. 3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. -4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. +4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) > [!TIP] > For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. From 87cbe724737cf5cd54d6bb7393c150d0ef345b2e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:59:31 -0800 Subject: [PATCH 136/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e21d65054d..ebf9e149f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -179,9 +179,9 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date. | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 7117e088936828f936875166dc99f7d0e6ee140b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:02:08 -0800 Subject: [PATCH 137/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ebf9e149f7..5d5c8cd439 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -177,11 +177,11 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -| Indicator type | Prerequisites | +| Indicator | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | +|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 313ba03c26e01250398b81e165f00a3eace1f715 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:02:39 -0800 Subject: [PATCH 138/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5d5c8cd439..68985360e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -178,7 +178,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: | Indicator | Prerequisites | -|:----|:----| +|:----:|:----:| |**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | | **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | From 5fe58051f530f67580c42bea28161217a1c1387e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:07:15 -0800 Subject: [PATCH 139/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 68985360e9..cecea25f5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -76,7 +76,7 @@ Your security team can classify an alert as a false positive or a true positive ### Suppress an alert -If you have alerts that are either false positives or are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. +If you have alerts that are either false positives or that are true positives but are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. From 8960bc4e9c0b881a801a4e8f8ecb19e442b5494f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:07:51 -0800 Subject: [PATCH 140/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index cecea25f5e..d5976bd76c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -178,7 +178,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: | Indicator | Prerequisites | -|:----:|:----:| +|:----|:----| |**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | | **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | From f386ac4af4d8b6e9ae82cd3a12dd8112b92ccfb8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:10:31 -0800 Subject: [PATCH 141/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d5976bd76c..3342692fc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -302,4 +302,5 @@ If you still need help after working through all the steps in this article, your ## See also [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) - \ No newline at end of file + +[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) \ No newline at end of file From 28794addaf76195c266a81fbc9f42834482621b8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:17:17 -0800 Subject: [PATCH 142/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 3342692fc9..56ef4f1e45 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -59,8 +59,8 @@ Before you classify or suppress an alert, determine whether the alert is accurat | Alert status | What to do | |:---|:---| | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | - | The alert is a false positive | Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

Also, create an indicator for Microsoft Defender for Endpoint. | - | The alert is accurate but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | + | The alert is a false positive | 1. Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

2. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.

3. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | + | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | ### Classify an alert From aabbcc4e3710334f83029829595e8bbd8d3f0749 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:18:46 -0800 Subject: [PATCH 143/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 56ef4f1e45..4cc8fd34a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -45,7 +45,7 @@ This article also includes information about [what to do if you still need help] If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. -Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. +Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. ### Determine whether an alert is accurate From 223f0f72df48f4d2163e19aa778a881ea8767469 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:21:00 -0800 Subject: [PATCH 144/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4cc8fd34a3..48f1a3208e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,7 +54,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Take one of the following steps:
+4. Depending on the alert status, take the steps described in the following table:
| Alert status | What to do | |:---|:---| From e4a721f0618a51e419046ab3d179b42160e08574 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:26:14 -0800 Subject: [PATCH 145/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 48f1a3208e..20fe6f78d4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -227,7 +227,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - [Cloud-delivered protection](#cloud-delivered-protection) -- [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA) +- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) ### Cloud-delivered protection From 9dafcb23f50b744dbc973442916eb7e335bbb52f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:32:47 -0800 Subject: [PATCH 146/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 20fe6f78d4..195c784c4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -201,7 +201,7 @@ If you have a file that was either wrongly detected as malicious or was missed, If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. -1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run ** MpCmdRun.exe** as an administrator. +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. 3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). From f22675ab6af56193c9f671f3963ecee865bf57c4 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Fri, 22 Jan 2021 17:29:45 -0800 Subject: [PATCH 147/304] Restructuring Windows Hello for Business Docks --- windows/security/identity-protection/TOC.md | 2 +- .../feature-multifactor-unlock.md | 4 +- .../hello-deployment-guide.md | 43 ++++--- .../hello-for-business/hello-features.md | 57 --------- .../hello-how-it-works-tech-deep-dive.md | 49 -------- .../hello-for-business/hello-how-it-works.md | 31 +++-- .../hello-identity-verification.md | 33 ++--- .../hello-planning-guide.md | 28 +++-- .../hello-for-business/index.yml | 113 ++++++++++++++++++ .../hello-for-business/toc.md | 4 +- .../hello-for-business/toc.yml | 18 +++ windows/security/identity-protection/index.md | 2 +- 12 files changed, 213 insertions(+), 171 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/hello-features.md delete mode 100644 windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md create mode 100644 windows/security/identity-protection/hello-for-business/index.yml create mode 100644 windows/security/identity-protection/hello-for-business/toc.yml diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 7f7f58c2b8..16e55efb95 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -18,7 +18,7 @@ #### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md) #### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md) -## [Windows Hello for Business](hello-for-business/hello-identity-verification.md) +## [Windows Hello for Business](hello-for-business/index.yml) ## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 215c86beea..da9b1c7c1e 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,5 +1,5 @@ --- -title: Multifactor Unlock +title: Multi-factor Unlock description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor ms.prod: w10 @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 03/20/2018 ms.reviewer: --- -# Multifactor Unlock +# Multi-factor Unlock **Applies to:** - Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index f3f064b1d1..95b07dfe0d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Hello for Business Deployment Guide +title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 @@ -13,28 +13,35 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/29/2018 +ms.date: 01/21/2021 ms.reviewer: --- -# Windows Hello for Business Deployment Guide +# Windows Hello for Business Deployment Overview **Applies to** -- Windows 10, version 1703 or later + +- Windows 10, version 1703 or later Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. -This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment. +This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization. + +Once you've chosen a deployment model, the deployment guide for the that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. + +> [!NOTE] +> Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model. ## Assumptions -This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: -* A well-connected, working network -* Internet access -* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning -* Proper name resolution, both internal and external names -* Active Directory and an adequate number of domain controllers per site to support authentication -* Active Directory Certificate Services 2012 or later -* One or more workstation computers running Windows 10, version 1703 +This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: + +- A well-connected, working network +- Internet access +- Multi-factor Authentication Server to support MFA during Windows Hello for Business provisioning +- Proper name resolution, both internal and external names +- Active Directory and an adequate number of domain controllers per site to support authentication +- Active Directory Certificate Services 2012 or later +- One or more workstation computers running Windows 10, version 1703 If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. @@ -46,15 +53,17 @@ Windows Hello for Business has three deployment models: Cloud, hybrid, and on-pr Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. -The trust model determines how you want users to authenticate to the on-premises Active Directory: -* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. -* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. -* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. +The trust model determines how you want users to authenticate to the on-premises Active Directory: + +- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. +- The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. +- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. > [!NOTE] > RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). Following are the various deployment guides and models included in this topic: + - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) - [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md deleted file mode 100644 index d35d4dea64..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Windows Hello for Business Features -description: Consider additional features you can use after your organization deploys Windows Hello for Business. -ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -ms.reviewer: -keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: mapalko -ms.author: mapalko -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 11/27/2019 ---- -# Windows Hello for Business Features - -**Applies to:** - -- Windows 10 - -Consider these additional features you can use after your organization deploys Windows Hello for Business. - -## Conditional access - -Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md). - -## Dynamic lock - -Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md). - -## PIN reset - -Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md). - -## Dual Enrollment - -This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md). - -## Remote Desktop - -Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md). - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md deleted file mode 100644 index 0e03beb9e3..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: How Windows Hello for Business works - Technical Deep Dive -description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: mapalko -ms.author: mapalko -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -ms.reviewer: ---- -# Technical Deep Dive - -**Applies to:** -- Windows 10 - -Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories: -- [Registration](#registration) -- [Provisioning](#provisioning) -- [Authentication](#authentication) - -## Registration - -Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). - -[How Device Registration Works](hello-how-it-works-device-registration.md) - - -## Provisioning - -Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider.
-For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.
-Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page. - -[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md) - -## Authentication - -Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. - -[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 528c1b6fe8..60d7c90219 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -19,7 +19,7 @@ ms.reviewer: **Applies to** -- Windows 10 +- Windows 10 Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. @@ -28,20 +28,37 @@ Watch this quick video where Pieter Wigleven gives a simple explanation of how W ## Technical Deep Dive -Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business. +Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business. -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work. +### Device Registration + +Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). + +For more information read [how device registration works](hello-how-it-works-device-registration.md). + +### Provisioning + +Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential. + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works. > [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] + +For more information read [how provisioning works](hello-how-it-works-provisioning.md). + +### Authentication + +Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. + > [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] -- [Technology and Terminology](hello-how-it-works-technology.md) -- [Device Registration](hello-how-it-works-device-registration.md) -- [Provisioning](hello-how-it-works-provisioning.md) -- [Authentication](hello-how-it-works-authentication.md) +For more information read [how authentication works](hello-how-it-works-authentication.md). ## Related topics +- [Technology and Terminology](hello-how-it-works-technology.md) - [Windows Hello for Business](hello-identity-verification.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 4d3512719a..d53a57bff1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -1,6 +1,6 @@ --- -title: Windows Hello for Business (Windows 10) -description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. +title: Windows Hello for Business Deployment Prerequisite Overview +description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E ms.reviewer: keywords: identity, PIN, biometric, Hello, passport @@ -15,29 +15,14 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 05/05/2018 +ms.date: 1/22/2021 --- -# Windows Hello for Business +# Windows Hello for Business Deployment Prerequisite Overview -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
-Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account. +This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. -Windows Hello addresses the following problems with passwords: - -- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. -- Server breaches can expose symmetric network credentials (passwords). -- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). -- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). - -> | | | | -> | :---: | :---: | :---: | -> | [![Overview Icon](images/hello_filter.png)](hello-overview.md)
[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
[Manage Windows Hello in your Organization](hello-manage-in-organization.md) | - - -## Prerequisites - -### Cloud Only Deployment +## Cloud Only Deployment * Windows 10, version 1511 or later * Microsoft Azure Account @@ -46,9 +31,9 @@ Windows Hello addresses the following problems with passwords: * Modern Management (Intune or supported third-party MDM), *optional* * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory -### Hybrid Deployments +## Hybrid Deployments -The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. +The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. | Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- | @@ -76,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a > Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 -### On-premises Deployments +## On-premises Deployments The table shows the minimum requirements for each deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 265aa7219d..22519b0b31 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -19,13 +19,15 @@ ms.reviewer: # Planning a Windows Hello for Business Deployment **Applies to** -- Windows 10 + +- Windows 10 Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. -If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). +> [!Note] +>If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). ## Using this guide @@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment. There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are: -* Deployment Options -* Client -* Management -* Active Directory -* Public Key Infrastructure -* Cloud + +- Deployment Options +- Client +- Management +- Active Directory +-Public Key Infrastructure +- Cloud ### Baseline Prerequisites @@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza There are three deployment models from which you can choose: cloud only, hybrid, and on-premises. ##### Cloud only + The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure. ##### Hybrid + The hybrid deployment model is for organizations that: -* Are federated with Azure Active Directory -* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect -* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources + +- Are federated with Azure Active Directory +- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect +- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml new file mode 100644 index 0000000000..98c1dc8fc0 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -0,0 +1,113 @@ +### YamlMime:Landing + +title: Windows Hello for Business documentation +summary: Learn how to manage and deploy Windows Hello for Business. + +metadata: + title: Windows Hello for Business documentation + description: Learn how to manage and deploy Windows Hello for Business. + ms.prod: w10 + ms.topic: landing-page + author: mapalko + manager: dansimp + ms.author: mapalko + ms.date: 01/22/2021 + ms.collection: M365-identity-device-management + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card + - title: About Windows Hello For Business + linkLists: + - linkListType: overview + links: + - text: Windows Hello for Business Overview + url: hello-overview.md + - linkListType: concept + links: + - text: Passwordless Strategy + url: passwordless-strategy.md + - text: Why a PIN is better than a password + url: hello-why-pin-is-better-than-password.md + - text: Windows Hello biometrics in the enterprise + url: hello-biometrics-in-enterprise.md + - text: How Windows Hello for Business works + url: hello-how-it-works.md + -linkListType: learn + links: + - text: Technical Deep Dive - Device Registration + url: hello-how-it-works-device-registration.md + - text: Technical Deep Dive - Provisioning + url: hello-how-it-works-provisioning.md + - text: Technical Deep Dive - Authentication + url: hello-how-it-works-authentication.md + - text: Technology and Terminology + url: hello-how-it-works-technology.md + - text: Frequently Asked Questions (FAQ) + url: hello-faq.yml + + # Card + - title: Configure and manage Windows Hello for Business + linkLists: + - linkListType: concept + links: + - text: Windows Hello for Business Deployment Overview + url: hello-deployment-guide.md + - text: Planning a Windows Hello for Business Deployment + url: hello-planning-guide.md + - text: Deployment Prerequisite Overview + url: hello-identity-verification.md + - linkListType: how-to-guide + links: + - text: Hybrid Azure AD Joined Key Trust Deployment + url: hello-hybrid-key-trust.md + - text: Hybrid Azure AD Joined Certificate Trust Deployment + url: hello-hybrid-cert-trust.md + - text: On-premises SSO for Azure AD Joined Devices + url: hello-hybrid-aadj-sso.md + - text: On-premises Key Trust Deployment + url: hello-deployment-key-trust.md + - text: On-premises Certificate Trust Deployment + url: hello-deployment-cert-trust.md + - linkListType: learn + links: + - text: Manage Windows Hello for Business in your organization + url: hello-manage-in-organization.md + - text: Windows Hello and password changes + url: hello-and-password-changes.md + - text: Prepare people to use Windows Hello + url: hello-prepare-people-to-use.md + + # Card + - title: Windows Hello for Business Features + linkLists: + - linkListType: how-to-guide + links: + - text: Conditional Access + url: hello-feature-conditional-access.md + - text: PIN Reset + url: hello-feature-pin-reset.m + - text: Dual Enrollment + url: hello-feature-dual-enrollment.md + - text: Dynamic Lock + url: hello-feature-dynamic-lock.md + - text: Multi-factor Unlock + url: feature-multifactor-unlock.md + - text: Remote Desktop + url: hello-feature-remote-desktop.md + + # Card + - title: Windows Hello for Business Troubleshooting + linkLists: + - linkListType: concept + links: + - text: Known Deployment Issues + url: hello-deployment-issues.md + - text: Errors During PIN Creation + url: hello-errors-during-pin-creation.md + + + \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md index b046ac97ee..77e08dfd22 100644 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ b/windows/security/identity-protection/hello-for-business/toc.md @@ -1,6 +1,6 @@ # [Windows Hello for Business](hello-identity-verification.md) -## [Password-less Strategy](passwordless-strategy.md) +## [Passwordless Strategy](passwordless-strategy.md) ## [Windows Hello for Business Overview](hello-overview.md) ## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) @@ -10,7 +10,7 @@ ### [Conditional Access](hello-feature-conditional-access.md) ### [Dual Enrollment](hello-feature-dual-enrollment.md) ### [Dynamic Lock](hello-feature-dynamic-lock.md) -### [Multifactor Unlock](feature-multifactor-unlock.md) +### [Multi-factor Unlock](feature-multifactor-unlock.md) ### [PIN Reset](hello-feature-pin-reset.md) ### [Remote Desktop](hello-feature-remote-desktop.md) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml new file mode 100644 index 0000000000..dd48cc97b4 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -0,0 +1,18 @@ +- name: Windows Hello for Business documentation + href: index.yml +- name: Overview + items: + - name: Windows Hello for Business Overview + href: hello-overview.md +- name: Concepts + items: + - name: + href: +- name: How-to Guides + items: + - name: + href: +- name: Reference + items: + - name: + href: \ No newline at end of file diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index f57abc302f..dd87cded73 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and | [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. | | [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. | -| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | +| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | | [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. | From 7a3c2bf326fd2ee9fb14527cac612e996625ad1e Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Fri, 22 Jan 2021 17:32:22 -0800 Subject: [PATCH 148/304] fixing new line --- .../security/identity-protection/hello-for-business/index.yml | 3 --- .../security/identity-protection/hello-for-business/toc.yml | 3 ++- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 98c1dc8fc0..c26699645a 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -108,6 +108,3 @@ landingContent: url: hello-deployment-issues.md - text: Errors During PIN Creation url: hello-errors-during-pin-creation.md - - - \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index dd48cc97b4..2c20b2052d 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -15,4 +15,5 @@ - name: Reference items: - name: - href: \ No newline at end of file + href: + \ No newline at end of file From b7ac564fd79b1e104204a9c2155adb1968e9e98e Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 14:30:32 +0200 Subject: [PATCH 149/304] 1 --- .../microsoft-defender-atp/find-machines-by-tag.md | 13 ++++++++++--- .../get-discovered-vulnerabilities.md | 4 ++++ .../microsoft-defender-atp/get-domain-statistics.md | 7 ++++++- .../microsoft-defender-atp/get-file-statistics.md | 7 ++++++- .../microsoft-defender-atp/get-ip-statistics.md | 7 ++++++- .../get-missing-kbs-machine.md | 6 +++++- .../get-security-recommendations.md | 4 ++++ .../microsoft-defender-atp/import-ti-indicators.md | 2 +- 8 files changed, 42 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md index c077f850b8..e34e5962d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -32,7 +32,7 @@ ms.topic: article ## API description Find [Machines](machine.md) by [Tag](machine-tags.md). - +
```startswith``` query is supported. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. @@ -56,7 +56,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ## HTTP request ``` -GET /api/machines/findbytag(tag='{tag}') +GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false} ``` ## Request headers @@ -65,6 +65,13 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +tag | String | The tag name. **Required**. +useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**. + ## Request body Empty @@ -78,5 +85,5 @@ If successful - 200 OK with list of the machines in the response body. Here is an example of the request. ``` -GET https://api.securitycenter.microsoft.com/api/machines/findbytag(tag='testTag') +GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true ``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 773a35d073..258209f10d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -30,8 +30,12 @@ ms.technology: mde [!include[Improve request performance](../../includes/improve-request-performance.md)] +## API description Retrieves a collection of discovered vulnerabilities related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index dda241406d..3720025ad9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -62,6 +62,11 @@ Header | Value :---|:--- Authorization | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -77,7 +82,7 @@ If successful and domain exists - 200 OK, with statistics object in the response Here is an example of the request. ``` -GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats +GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index 45c0c7f97f..ac9da34d73 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -62,6 +62,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -77,7 +82,7 @@ If successful and file exists - 200 OK with statistical data in the body. If fil Here is an example of the request. ``` -GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats +GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index e720d2f338..5ba7c77cd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -63,6 +63,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -78,7 +83,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no Here is an example of the request. ```http -GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats +GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48 ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 9ac01f22cf..abb4bd89f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -30,7 +30,11 @@ ms.technology: mde [!include[Improve request performance](../../includes/improve-request-performance.md)] -Retrieves missing KBs (security updates) by device ID +## API description +Retrieves missing KBs (security updates) by device ID. + +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. ## HTTP request diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index 1d2dfe41dd..f08ce4f926 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -31,8 +31,12 @@ ms.technology: mde [!include[Prerelease information](../../includes/prerelease.md)] +## API description Retrieves a collection of security recommendations related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md index 822e0f9985..8e33f2ae5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -37,7 +37,7 @@ Submits or Updates batch of [Indicator](ti-indicator.md) entities. ## Limitations 1. Rate limitations for this API are 30 calls per minute. 2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. - +3. Maximum batch size for one API call is 500. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) From b54bd97a85d313c549533a537de4f5dcc35b61ea Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 14:57:21 +0200 Subject: [PATCH 150/304] 2 --- .../add-or-remove-machine-tags.md | 6 ++++-- .../collect-investigation-package.md | 4 +++- .../get-alert-related-domain-info.md | 4 +--- .../get-alert-related-files-info.md | 4 +--- .../get-alert-related-ip-info.md | 4 +--- .../get-alert-related-machine-info.md | 4 +--- .../get-alert-related-user-info.md | 4 +--- .../microsoft-defender-atp/get-domain-statistics.md | 4 +--- .../microsoft-defender-atp/get-file-information.md | 4 +--- .../microsoft-defender-atp/get-file-statistics.md | 4 +--- .../get-investigation-collection.md | 4 +--- .../microsoft-defender-atp/get-ip-statistics.md | 4 +--- .../microsoft-defender-atp/get-kbinfo-collection.md | 7 ++----- .../microsoft-defender-atp/get-machine-by-id.md | 4 +--- .../get-machine-log-on-users.md | 4 +--- .../get-machineaction-object.md | 6 ++---- .../get-machineactions-collection.md | 6 ++---- .../microsoft-defender-atp/get-machines.md | 4 +--- .../get-machinesecuritystates-collection.md | 7 ++----- .../microsoft-defender-atp/get-package-sas-uri.md | 8 ++------ .../get-ti-indicators-collection.md | 12 ++++-------- .../microsoft-defender-atp/get-user-information.md | 7 ++----- .../initiate-autoir-investigation.md | 8 +++++--- .../microsoft-defender-atp/isolate-machine.md | 10 ++++++---- .../microsoft-defender-atp/offboard-machine-api.md | 6 ++++-- .../restrict-code-execution.md | 9 +++++---- .../microsoft-defender-atp/run-advanced-query-api.md | 12 +++++++----- .../microsoft-defender-atp/run-av-scan.md | 6 ++++-- .../stop-and-quarantine-file.md | 6 ++++-- .../microsoft-defender-atp/unisolate-machine.md | 6 ++++-- .../unrestrict-code-execution.md | 6 ++++-- .../microsoft-defender-atp/update-alert.md | 5 +++-- 32 files changed, 82 insertions(+), 107 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index c9987f3a99..2a992e5e4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -90,9 +90,11 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -```http +``` POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags -Content-type: application/json +``` + +```json { "Value" : "test Tag 2", "Action": "Add" diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index ee50396e37..7c823acfd6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -83,7 +83,9 @@ Here is an example of the request. ``` POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage -Content-type: application/json +``` + +```json { "Comment": "Collect forensics due to alert 1234" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index 9347365103..aaa3ab921d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 80dfa7de59..705b9284db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index b241dd2b72..02701c84db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index e4850f8d55..a5e59345c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -88,9 +88,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index ea89e7158c..a256a1f597 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "contoso\\user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index 3720025ad9..dd3331b476 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookB Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", "host": "example.com", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 736c3298e2..019f1385c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity", "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index ac9da34d73..cf1898803a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md index 47662456ae..cca2597b98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/investigations Here is an example of the response: -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Investigations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 5ba7c77cd7..bc04301ab1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBac Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", "ipAddress": "10.209.67.177", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index f108cdfbf6..0eeced010e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -61,18 +61,15 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/KbInfo -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", "@odata.count": 271, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index ceac9cc0ed..0a6ff20f30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index f4730dce02..3e9b901fac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index 35d7343116..9520bd1379 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -77,7 +77,7 @@ If successful, this method returns 200, Ok response code with a [Machine Action] Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ``` @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-42 Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity", "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 11bd89fa3b..d910d3beda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -82,7 +82,7 @@ If successful, this method returns 200, Ok response code with a collection of [m Here is an example of the request on an organization that has three MachineActions. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions ``` @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index ad2331e5ab..42a179a64f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -92,9 +92,7 @@ GET https://api.securitycenter.microsoft.com/api/machines Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index 9565ba0014..9d1e0ef235 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -60,9 +60,8 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates -Content-type: application/json ``` **Response** @@ -70,9 +69,7 @@ Content-type: application/json Here is an example of the response. Field *id* contains device id and equal to the field *id** in devices info. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", "@odata.count":444, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index ccd17fea22..2683556f81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -73,19 +73,15 @@ If successful, this method returns 200, Ok response code with object that holds Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri - ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json - +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String", "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index 58cb3f78a5..5a5ea5a354 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -78,7 +78,7 @@ If successful, this method returns 200, Ok response code with a collection of [I Here is an example of a request that gets all Indicators -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators ``` @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ @@ -141,7 +139,7 @@ Content-type: application/json Here is an example of a request that gets all Indicators with 'AlertAndBlock' action -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock' ``` @@ -149,9 +147,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md index 7a7e85e081..d4d47fa618 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md @@ -64,9 +64,8 @@ If successful and user exists - 200 OK with [user](user.md) entity in the body. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1 -Content-type: application/json ``` **Response** @@ -74,9 +73,7 @@ Content-type: application/json Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index dfb9ea34c6..caa8fb231b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Investigatio Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation -Content-type: application/json +``` + +```json { - "Comment": "Test investigation", + "Comment": "Test investigation" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 00d02c3bfe..67f0760774 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -90,13 +90,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -```console +``` POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate -Content-type: application/json +``` + +```json { "Comment": "Isolate machine due to alert 1234", - “IsolationType”: “Full” + "IsolationType": "Full" } ``` -- To unisolate a device, see [Release device from isolation](unisolate-machine.md). +- To release a device from isolation, see [Release device from isolation](unisolate-machine.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 8eef870362..df8552d5a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -87,9 +87,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard -Content-type: application/json +``` + +```json { "Comment": "Offboard machine by automation" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index fb99be0444..a78424ca79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -83,14 +83,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Restrict code execution due to alert 1234" } ``` -- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). - +- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 88fddcc27b..195101b45a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -35,10 +35,10 @@ ms.technology: mde 1. You can only run a query on data from the last 30 days. 2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - - API calls: Up to 15 calls per minute - - Execution time: 10 minutes of running time every hour and 4 hours of running time a day + - API calls: Up to 45 calls per minute. + - Execution time: 10 minutes of running time every hour and 4 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. -5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed. +5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -82,9 +82,11 @@ Request Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/advancedqueries/run -Content-type: application/json +``` + +```json { "Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index dda698fd60..aac2826f29 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -91,9 +91,11 @@ If successful, this method returns 201, Created response code and _MachineAction Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan -Content-type: application/json +``` + +```json { "Comment": "Check machine for viruses due to alert 3212", “ScanType”: “Full” diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 26a77dc157..6ab096b9f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile -Content-type: application/json +``` + +```json { "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 2ddc0fa5f4..9d41281585 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate -Content-type: application/json +``` + +```json { "Comment": "Unisolate machine since it was clean and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index c8b9276441..41934f0380 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -82,9 +82,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Unrestrict code execution since machine was cleaned and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 4f6423b15e..d2f3515f96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -91,10 +91,11 @@ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in Here is an example of the request. -``` +```http PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442 -Content-Type: application/json +``` +```json { "status": "Resolved", "assignedTo": "secop2@contoso.com", From f803e252caab050a81ec70c30fd0ae8fb48684ef Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 15:46:51 +0200 Subject: [PATCH 151/304] 1 --- .../collect-investigation-package.md | 2 +- .../microsoft-defender-atp/create-alert-by-reference.md | 3 ++- .../microsoft-defender-atp/delete-ti-indicator-by-id.md | 2 +- .../microsoft-defender-atp/find-machines-by-ip.md | 2 +- .../microsoft-defender-atp/find-machines-by-tag.md | 2 +- .../get-alert-related-domain-info.md | 2 +- .../microsoft-defender-atp/get-alert-related-files-info.md | 2 +- .../microsoft-defender-atp/get-alert-related-ip-info.md | 2 +- .../get-alert-related-machine-info.md | 2 +- .../microsoft-defender-atp/get-alert-related-user-info.md | 2 +- .../threat-protection/microsoft-defender-atp/get-alerts.md | 4 ++-- .../microsoft-defender-atp/get-all-recommendations.md | 2 +- .../get-all-vulnerabilities-by-machines.md | 2 +- .../microsoft-defender-atp/get-all-vulnerabilities.md | 2 +- .../microsoft-defender-atp/get-cvekbmap-collection.md | 7 ++----- .../microsoft-defender-atp/get-device-secure-score.md | 2 +- .../get-discovered-vulnerabilities.md | 4 ++-- .../microsoft-defender-atp/get-domain-statistics.md | 2 +- .../microsoft-defender-atp/get-exposure-score.md | 2 +- .../microsoft-defender-atp/get-file-information.md | 2 +- .../microsoft-defender-atp/get-file-related-alerts.md | 2 +- .../microsoft-defender-atp/get-file-related-machines.md | 2 +- .../microsoft-defender-atp/get-file-statistics.md | 2 +- .../microsoft-defender-atp/get-installed-software.md | 2 +- .../microsoft-defender-atp/get-ip-related-alerts.md | 2 +- .../get-machine-group-exposure-score.md | 2 +- .../microsoft-defender-atp/get-machines-by-software.md | 3 +-- .../get-machines-by-vulnerability.md | 2 +- .../microsoft-defender-atp/get-missing-kbs-machine.md | 2 +- .../microsoft-defender-atp/get-missing-kbs-software.md | 2 +- .../microsoft-defender-atp/get-recommendation-by-id.md | 2 +- .../microsoft-defender-atp/get-recommendation-machines.md | 2 +- .../microsoft-defender-atp/get-recommendation-software.md | 2 +- .../get-recommendation-vulnerabilities.md | 2 +- .../microsoft-defender-atp/get-security-recommendations.md | 4 ++-- .../microsoft-defender-atp/get-software-by-id.md | 3 +-- .../get-software-ver-distribution.md | 3 +-- .../microsoft-defender-atp/get-software.md | 2 +- .../microsoft-defender-atp/get-user-related-alerts.md | 2 +- .../microsoft-defender-atp/get-user-related-machines.md | 2 +- .../microsoft-defender-atp/get-vuln-by-software.md | 3 +-- .../microsoft-defender-atp/get-vulnerability-by-id.md | 2 +- .../microsoft-defender-atp/import-ti-indicators.md | 3 ++- .../microsoft-defender-atp/isolate-machine.md | 2 +- .../microsoft-defender-atp/post-ti-indicator.md | 3 ++- .../microsoft-defender-atp/run-av-scan.md | 2 +- .../microsoft-defender-atp/update-alert.md | 2 +- 47 files changed, 54 insertions(+), 58 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index 7c823acfd6..dea6142742 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -81,7 +81,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index ac6a1ed6be..91a38d3f42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -96,9 +96,10 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference ``` + ```json { "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index c4921c50f4..127f52cd7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -73,6 +73,6 @@ If Indicator with the specified id was not found - 404 Not Found. Here is an example of the request. -``` +```http DELETE https://api.securitycenter.microsoft.com/api/indicators/995 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index 5a461d731b..d9ebb6559c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -80,6 +80,6 @@ If the timestamp is not in the past 30 days - 400 Bad Request. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z) ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md index e34e5962d8..5bb4e7756f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -84,6 +84,6 @@ If successful - 200 OK with list of the machines in the response body. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true ``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index aaa3ab921d..c84308bef0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -77,7 +77,7 @@ If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 705b9284db..015b98dba0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -77,7 +77,7 @@ If successful and alert and files exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index 02701c84db..602a1fd1c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -78,7 +78,7 @@ If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index a5e59345c3..60d47669c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -79,7 +79,7 @@ If successful and alert and device exist - 200 OK. If alert not found or device Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index a256a1f597..2afbe73739 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -78,7 +78,7 @@ If successful and alert and a user exists - 200 OK with user in the body. If ale Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 918af17cc7..eb0067b2ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -88,7 +88,7 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts ``` @@ -152,7 +152,7 @@ Here is an example of the response. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index 9be5af6b31..6548493ea9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of security recommendati Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md index 73cc542fda..0126da149d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md @@ -72,7 +72,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index 17f9e97ef1..00ade14700 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md index 41df827074..3264cc7d76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md @@ -61,18 +61,15 @@ If successful and map exists - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/CveKbMap -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", "@odata.count": 4168, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index b18413a57e..2edded89ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the device secure score data in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/configurationScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 258209f10d..760ce4ddb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -71,7 +71,7 @@ If successful, this method returns 200 OK with the discovered vulnerability info Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities ``` @@ -79,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index dd3331b476..13a3f3f28f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -81,7 +81,7 @@ If successful and domain exists - 200 OK, with statistics object in the response Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index c06627a36f..0288816bb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with the exposure data in the respons Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 019f1385c7..37b4c39da7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -76,7 +76,7 @@ If successful and file exists - 200 OK with the [file](files.md) entity in the b Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index dd23bde922..1ef694df96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [alert](alerts.md) entities Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index 981b5352e4..c0de4442c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index cf1898803a..ab8b12267d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -81,7 +81,7 @@ If successful and file exists - 200 OK with statistical data in the body. If fil Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md index 1d74c52f25..9effa5d7a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md @@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the installed software informatio Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index ec0bd5533a..d4f66c71d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -79,6 +79,6 @@ If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index f7ea61feb1..6f54986e33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with a list of exposure score per dev Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index cbcb0e0b06..b2f9da0734 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK and a list of devices with the softwar Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machi Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index 35a821c812..bf4208cd36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index abb4bd89f5..d3c13ddae1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -62,7 +62,7 @@ If successful, this method returns 200 OK, with the specified device missing kb Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md index 4c037b678e..3b53dabe02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md @@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the specified software missing k Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index d752962405..5548416186 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index 7d46d6e6fe..fa448849b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of devices associated wi Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index 4f144b37e3..0fcdc3e55a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the software associated with the Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index 6c606f3bfc..e4a52ff2a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index f08ce4f926..2581a14cb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations ``` @@ -79,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index da3f09fb2d..58ff771315 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the specified software data in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity", "id": "microsoft-_-edge", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index c707f59ef2..897e0c91a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a list of software distributions Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distr Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index 95e59d134f..b070207ed0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the software inventory in the bod Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 7705c00e4b..341e56d35d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -81,6 +81,6 @@ If successful and user exists - 200 OK. If the user does not exist - 404 Not Fou Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 7cab2321b4..b91c080c8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -82,6 +82,6 @@ If successful and user exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index c60ff31fdb..762572746a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a a list of vulnerabilities expos Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulne Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index e8cc9c8257..441ac6bf08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md index 8e33f2ae5c..ae63ad7d4b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -79,9 +79,10 @@ Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indica Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/indicators/import ``` + ```json { "Indicators": diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 67f0760774..15f0c9b691 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -90,7 +90,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index c5bedda425..f019e3a9d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -89,9 +89,10 @@ rbacGroupNames | String | Comma-separated list of RBAC group names the indicator Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/indicators ``` + ```json { "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index aac2826f29..68a10a5e99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -98,7 +98,7 @@ POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 ```json { "Comment": "Check machine for viruses due to alert 3212", - “ScanType”: “Full” + "ScanType": "Full" } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index d2f3515f96..a19d0d51e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -103,4 +103,4 @@ PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_213 "determination": "Malware", "comment": "Resolve my alert and assign to secop2" } -``` +``` \ No newline at end of file From c8dde0220a6429f0e4fa375709c1b642f5ec4a98 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 16:17:49 +0200 Subject: [PATCH 152/304] 5 --- .../threat-protection/microsoft-defender-atp/investigation.md | 2 +- .../threat-protection/microsoft-defender-atp/machine.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md index 6afbbec900..64b309d544 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -40,7 +40,7 @@ Represent an Automated Investigation entity in Defender for Endpoint. Method|Return Type |Description :---|:---|:--- [List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation -[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity. +[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity. [Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index c0cfd906a5..896f5ca654 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -62,7 +62,7 @@ version | String | Operating system Version. osBuild | Nullable long | Operating system build number. lastIpAddress | String | Last IP on local NIC on the [machine](machine.md). lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. -healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" +healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown". rbacGroupName | String | Machine group Name. rbacGroupId | Int | Machine group unique ID. riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'. From 5823e24e7ac6d543273fdbf8963a454ad921f8d6 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 16:50:27 +0200 Subject: [PATCH 153/304] 3 --- .../microsoft-defender-atp/run-advanced-query-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 195101b45a..1f52029bfe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -36,7 +36,7 @@ ms.technology: mde 2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - API calls: Up to 45 calls per minute. - - Execution time: 10 minutes of running time every hour and 4 hours of running time a day. + - Execution time: 10 minutes of running time every hour and 3 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. 5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. From 963bbb8f93de94590c0ed5948d0a965dd92d304e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 25 Jan 2021 21:09:14 +0500 Subject: [PATCH 154/304] Update TOC.md --- windows/security/threat-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index af35c57f47..122083cfeb 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -114,6 +114,7 @@ ##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) ##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md) ##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) +##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md) ##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md ) #### [Network protection]() From 463b8b0f8cf8d6b1066728d21cb4b34138608a98 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Mon, 25 Jan 2021 10:13:26 -0600 Subject: [PATCH 155/304] Update security-compliance-toolkit-10.md Removed 1709 as we dont support it any longer and pulled it from the DLC --- .../security/threat-protection/security-compliance-toolkit-10.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index fd8ba1f7f9..509869f9e5 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -34,7 +34,6 @@ The Security Compliance Toolkit consists of: - Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) - - Windows 10 Version 1709 (Fall Creators Update) - Windows 10 Version 1607 (Anniversary Update) - Windows 10 Version 1507 From f8e3f311ae43ba2b3c195b8c4a5c48b54c9c4869 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 25 Jan 2021 21:17:00 +0500 Subject: [PATCH 156/304] Update mandatory-settings-for-wip.md --- .../mandatory-settings-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index eb25f0556d..bf2e926154 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -28,7 +28,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| |Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.| -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| From b9cae92b5b8afb1f57771f5120df16ddfed3079a Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Mon, 25 Jan 2021 10:57:53 -0800 Subject: [PATCH 157/304] updating toc to toc.yml and updating nesting to match restructuring of documentation --- .../hello-for-business/index.yml | 4 +- .../hello-for-business/toc.md | 72 ---------- .../hello-for-business/toc.yml | 132 +++++++++++++++++- 3 files changed, 127 insertions(+), 81 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/toc.md diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index c26699645a..4035fa1cd7 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -89,7 +89,7 @@ landingContent: - text: Conditional Access url: hello-feature-conditional-access.md - text: PIN Reset - url: hello-feature-pin-reset.m + url: hello-feature-pin-reset.md - text: Dual Enrollment url: hello-feature-dual-enrollment.md - text: Dynamic Lock @@ -102,7 +102,7 @@ landingContent: # Card - title: Windows Hello for Business Troubleshooting linkLists: - - linkListType: concept + - linkListType: how-to-guide links: - text: Known Deployment Issues url: hello-deployment-issues.md diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md deleted file mode 100644 index 77e08dfd22..0000000000 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ /dev/null @@ -1,72 +0,0 @@ -# [Windows Hello for Business](hello-identity-verification.md) - -## [Passwordless Strategy](passwordless-strategy.md) - -## [Windows Hello for Business Overview](hello-overview.md) -## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) - -## [Windows Hello for Business Features](hello-features.md) -### [Conditional Access](hello-feature-conditional-access.md) -### [Dual Enrollment](hello-feature-dual-enrollment.md) -### [Dynamic Lock](hello-feature-dynamic-lock.md) -### [Multi-factor Unlock](feature-multifactor-unlock.md) -### [PIN Reset](hello-feature-pin-reset.md) -### [Remote Desktop](hello-feature-remote-desktop.md) - -## [How Windows Hello for Business works](hello-how-it-works.md) -### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive) -#### [Device Registration](hello-how-it-works-device-registration.md) -#### [Provisioning](hello-how-it-works-provisioning.md) -#### [Authentication](hello-how-it-works-authentication.md) -#### [Technology and Terminology](hello-how-it-works-technology.md) - -## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) - -## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - -## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) - -### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) -#### [Prerequisites](hello-hybrid-key-trust-prereqs.md) -#### [New Installation Baseline](hello-hybrid-key-new-install.md) -#### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -#### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -#### [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -#### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) - -### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) -#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -#### [New Installation Baseline](hello-hybrid-cert-new-install.md) -#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) -#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) - -### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) -#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) -#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md) - -### [On Premises Key Trust Deployment](hello-deployment-key-trust.md) -#### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -#### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -##### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -#### [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) - -### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) -#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) - -## [Windows Hello and password changes](hello-and-password-changes.md) -## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - -## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.yml) -### [Windows Hello for Business Videos](hello-videos.md) - -## Windows Hello for Business Troubleshooting -### [Known Deployment Issues](hello-deployment-issues.md) -### [Errors during PIN creation](hello-errors-during-pin-creation.md) -### [Event ID 300 - Windows Hello successfully created](hello-event-300.md) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 2c20b2052d..65d8c83904 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -5,15 +5,133 @@ - name: Windows Hello for Business Overview href: hello-overview.md - name: Concepts + expanded: true items: - - name: - href: + - name: Passwordless Strategy + href: passwordless-strategy.md + - name: Why a PIN is better than a password + href: hello-why-pin-is-better-than-password.md + - name: Windows Hello biometrics in the enterprise + href: hello-biometrics-in-enterprise.md + - name: How Windows Hello for Business works + href: hello-how-it-works.md + - name: Technical Deep Dive + items: + - name: Device Registration + href: hello-how-it-works-device-registration.md + - name: Provisioning + href: hello-how-it-works-provisioning.md + - name: Authentication + href: hello-how-it-works-authentication.md - name: How-to Guides items: - - name: - href: + - name: Windows Hello for Business Deployment Overview + href: hello-deployment-guide.md + - name: Planning a Windows Hello for Business Deployment + href: hello-planning-guide.md + - name: Deployment Prerequisite Overview + href: hello-identity-verification.md + - name: Prepare people to use Windows Hello + href: hello-prepare-people-to-use.md + - name: Deployment Guides + items: + - name: Hybrid Azure AD Joined Key Trust + items: + - name: Hybrid Azure AD Joined Key Trust Deployment + href: hello-hybrid-key-trust.md + - name: Prerequisites + href: hello-hybrid-key-trust-prereqs.md + - name: New Installation Baseline + href: hello-hybrid-key-new-install.md + - name: Configure Directory Synchronization + href: hello-hybrid-key-trust-dirsync.md + - name: Configure Azure Device Registration + href: hello-hybrid-key-trust-devreg.md + - name: Configure Windows Hello for Business settings + href: hello-hybrid-key-whfb-settings.md + - name: Sign-in and Provisioning + href: hello-hybrid-key-whfb-provision.md + - name: Hybrid Azure AD Joined Certificate Trust + items: + - name: Hybrid Azure AD Joined Certificate Trust Deployment + href: hello-hybrid-cert-trust.md + - name: Prerequisites + href: hello-hybrid-cert-trust-prereqs.md + - name: New Installation Baseline + href: hello-hybrid-cert-new-install.md + - name: Configure Azure Device Registration + href: hello-hybrid-cert-trust-devreg.md + - name: Configure Windows Hello for Business settings + href: hello-hybrid-cert-whfb-settings.md + - name: Sign-in and Provisioning + href: hello-hybrid-cert-whfb-provision.md + - name: On-premises SSO for Azure AD Joined Devices + items: + - name: On-premises SSO for Azure AD Joined Devices Deployment + href: hello-hybrid-aadj-sso.md + - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business + href: hello-hybrid-aadj-sso-base.md + - name: Using Certificates for AADJ On-premises Single-sign On + href: hello-hybrid-aadj-sso-cert.md + - name: On-premises Key Trust + items: + - name: On-premises Key Trust Deployment + href: hello-deployment-key-trust.md + - name: Validate Active Directory Prerequisites + href: hello-key-trust-validate-ad-prereq.md + - name: Validate and Configure Public Key Infrastructure + href: hello-key-trust-validate-pki.md + - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + href: hello-key-trust-adfs.md + - name: Validate and Deploy Multi-factor Authentication (MFA) Services + href: hello-key-trust-validate-deploy-mfa.md + - name: Configure Windows Hello for Business policy settings + href: hello-key-trust-policy-settings.md + - name: On-premises Certificate Trust + items: + - name: On-premises Certificate Trust Deployment + href: hello-deployment-cert-trust.md + - name: Validate Active Directory Prerequisites + href: hello-cert-trust-validate-ad-prereq.md + - name: Validate and Configure Public Key Infrastructure + href: hello-cert-trust-validate-pki.md + - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + href: hello-cert-trust-adfs.md + - name: Validate and Deploy Multi-factor Authentication (MFA) Services + href: hello-cert-trust-validate-deploy-mfa.md + - name: Configure Windows Hello for Business policy settings + href: hello-cert-trust-policy-settings.md + - name: Managing Windows Hello for Business in your organization + href: hello-manage-in-organization.md + - name: Windows Hello for Business Features + items: + - name: Conditional Access + href: hello-feature-conditional-access.md + - name: PIN Reset + href: hello-feature-pin-reset.md + - name: Dual Enrollment + href: hello-feature-dual-enrollment.md + - name: Dynamic Lock + href: hello-feature-dynamic-lock.md + - name: Multi-factor Unlock + href: feature-multifactor-unlock.md + - name: Remote Desktop + href: hello-feature-remote-desktop.md + - name: Troubleshooting + items: + - name: Known Deployment Issues + href: hello-deployment-issues.md + - name: Errors During PIN Creation + href: hello-errors-during-pin-creation.md + - name: Event ID 300 - Windows Hello successfully created + href: hello-event-300.md + - name: Windows Hello and password changes + href: hello-and-password-changes.md - name: Reference items: - - name: - href: - \ No newline at end of file + - name: Technology and Terminology + href: hello-how-it-works-technology.md + - name: Frequently Asked Questions (FAQ) + href: hello-faq.yml + - name: Windows Hello for Business videos + href: hello-videos.md From 9d7d199078b9917f52ea02e07840f65cb861b886 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Mon, 25 Jan 2021 11:18:44 -0800 Subject: [PATCH 158/304] fixing issues with toc.yml and index.yml --- .../security/identity-protection/hello-for-business/index.yml | 2 +- windows/security/identity-protection/hello-for-business/toc.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 4035fa1cd7..4282b8e701 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -36,7 +36,7 @@ landingContent: url: hello-biometrics-in-enterprise.md - text: How Windows Hello for Business works url: hello-how-it-works.md - -linkListType: learn + - linkListType: learn links: - text: Technical Deep Dive - Device Registration url: hello-how-it-works-device-registration.md diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 65d8c83904..8a29bb7d81 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -102,7 +102,7 @@ - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - name: Managing Windows Hello for Business in your organization - href: hello-manage-in-organization.md + href: hello-manage-in-organization.md - name: Windows Hello for Business Features items: - name: Conditional Access From 28dedc57f594e67d556975d66849129bc3307241 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 12:35:49 -0800 Subject: [PATCH 159/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 195c784c4e..85158c1cb2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/22/2021 +ms.date: 01/25/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -38,12 +38,14 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) +6. [Getting help if you still have issues with false positives/negatives](#still-need-help) -This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +> [!IMPORTANT] +> This article is intended for security operators and administrators. ## Part 1: Review and classify alerts -If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. +If you see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. From 4562ca67bd6db40e1773e49f74f9839efde54300 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 12:39:33 -0800 Subject: [PATCH 160/304] Update defender-endpoint-false-positives-negatives.md --- ...defender-endpoint-false-positives-negatives.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 85158c1cb2..8e5c202978 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -136,7 +136,8 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi - [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) - [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. +> [!NOTE] +> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. @@ -169,20 +170,20 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: +To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: +You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -| Indicator | Prerequisites | +| Indicator type and considerations | Prerequisites | |:----|:----| -|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] From 5928b1b0cfbd5d7b5630ea698680f7f63aeaa643 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 12:42:43 -0800 Subject: [PATCH 161/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8e5c202978..084f8103db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -183,15 +183,15 @@ You can create indicators for files, IP addresses, URLs, domains, and certificat | Indicator type and considerations | Prerequisites | |:----|:----| |**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). ## Part 4: Submit a file for analysis -You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. When you sign in at the submission site, you can track your submissions. ### Submit a file for analysis @@ -202,7 +202,7 @@ If you have a file that was either wrongly detected as malicious or was missed, ### Submit a fileless detection for analysis -If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. 1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. @@ -294,6 +294,10 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. +### Automated investigation and remediation + + + ## Still need help? If you still need help after working through all the steps in this article, your best bet is to contact technical support. From 2309a9407d18e11647f246145b695b5374280108 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:14:30 -0800 Subject: [PATCH 162/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 084f8103db..f8d93d2f54 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -296,7 +296,39 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett ### Automated investigation and remediation +[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).) + +All remediation actions, whether pending or completed, can be viewed in the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). If necessary, your security operations team can undo a remediation action. And, you can set or change your level of automation. + +### Review actions that were taken + +1. Go to the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select an item to view more details about that remediation action. + +### Undo remediation actions + +If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. You can undo actions, such as isolating a device, restricting code execution, quarantining a file, removing a registry key, stopping a service, and more. + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select the actions that you want to undo. +4. In the pane on the right side of the screen, select **Undo**. + +> [!TIP] +> To learn more about remediation actions, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions). + +### Review and if needed, edit your automation level + +AIR capabilities in Defender for Endpoint are configured to one of several [levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels). + +- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. +- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. +- *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation. + +To review your AIR configuration and learn more about automation levels, see [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) and the [Levels of automation table](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation). ## Still need help? From 27efc5c2bc073c2823d0882dc57c7c9f1f0b8cf6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:16:18 -0800 Subject: [PATCH 163/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f8d93d2f54..24e9fbf78e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -328,11 +328,13 @@ AIR capabilities in Defender for Endpoint are configured to one of several [leve - *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. - *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation. -To review your AIR configuration and learn more about automation levels, see [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) and the [Levels of automation table](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation). +To review your AIR configuration and learn more about automation levels, see: +- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) +- [Levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation) ## Still need help? -If you still need help after working through all the steps in this article, your best bet is to contact technical support. +If you have worked through all the steps in this article and still need help, your best bet is to contact technical support. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. From 708066fb3779d7e195bc664c7dd7ee24cab311e9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:21:09 -0800 Subject: [PATCH 164/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 24e9fbf78e..695656e24e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -231,6 +231,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the - [Cloud-delivered protection](#cloud-delivered-protection) - [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) +- [Automated investigation and remediation](#automated-investigation-and-remediation) ### Cloud-delivered protection From dd563409f25933ff6510d5d4c2a062857ced65e4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:29:24 -0800 Subject: [PATCH 165/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 34 ++----------------- 1 file changed, 3 insertions(+), 31 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 695656e24e..d201884712 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -299,39 +299,11 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).) +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. -All remediation actions, whether pending or completed, can be viewed in the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). If necessary, your security operations team can undo a remediation action. And, you can set or change your level of automation. - -### Review actions that were taken - -1. Go to the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab. -3. Select an item to view more details about that remediation action. - -### Undo remediation actions - -If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. You can undo actions, such as isolating a device, restricting code execution, quarantining a file, removing a registry key, stopping a service, and more. - -1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab. -3. Select the actions that you want to undo. -4. In the pane on the right side of the screen, select **Undo**. - -> [!TIP] -> To learn more about remediation actions, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions). - -### Review and if needed, edit your automation level - -AIR capabilities in Defender for Endpoint are configured to one of several [levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels). - -- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. -- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. -- *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation. - -To review your AIR configuration and learn more about automation levels, see: +- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) -- [Levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation) + ## Still need help? From 995a3ed9aa6c99a38ad8714908adb25b3b8e16c0 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 25 Jan 2021 13:38:04 -0800 Subject: [PATCH 166/304] Update initiate-autoir-investigation.md --- .../microsoft-defender-atp/initiate-autoir-investigation.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index caa8fb231b..5617ebcae7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -92,3 +92,4 @@ POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 { "Comment": "Test investigation" } +``` From 3abff941ef1a32cac37e1abe0cf9fee91dc35f7f Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 25 Jan 2021 13:39:46 -0800 Subject: [PATCH 167/304] Update get-software-by-id.md --- .../microsoft-defender-atp/get-software-by-id.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index 58ff771315..43ed0055bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -1,6 +1,6 @@ --- title: Get software by Id -description: Retrieves a list of exposure scores by device group. +description: Retrieves a list of sofware by ID. keywords: apis, graph api, supported apis, get, software, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: m365-security From 68d2209f6732092de9cfbad01bf0e1686feb07f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:55:09 -0800 Subject: [PATCH 168/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d201884712..9707bf3e13 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -101,6 +101,9 @@ If you have alerts that are either false positives or that are true positives bu Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. +> [!TIP] +> See [Review remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation). + ### Review completed actions 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. @@ -301,8 +304,8 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. -- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) -- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) +- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then +- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). ## Still need help? From 2c2052341de9a76ccc675be197d8f9e4b88a4cec Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 14:01:18 -0800 Subject: [PATCH 169/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9707bf3e13..573ce0cf3f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -302,7 +302,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team. - [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). From 18bbbe6262a11c530e44a23e596395aaa921f787 Mon Sep 17 00:00:00 2001 From: Jeff Gilbert Date: Mon, 25 Jan 2021 17:58:10 -0500 Subject: [PATCH 170/304] Update create-wip-policy-using-intune-azure.md Updated per request from PM (dereka). --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index f36275b6ba..19f213f47f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -444,7 +444,7 @@ To stop Windows from automatically blocking these connections, you can add the ` For example: ```console -URL <,proxy>|URL <,proxy>/*AppCompat*/ +URL <,proxy>|URL <,proxy>|/*AppCompat*/ ``` When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. From 2e2653dbb8763aa1004865b394c8bbae887b2adf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 15:13:56 -0800 Subject: [PATCH 171/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 573ce0cf3f..9e49265a2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -205,7 +205,7 @@ If you have a file that was either wrongly detected as malicious or was missed, ### Submit a fileless detection for analysis -If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10. 1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. From 285c15d89bcdbc854e1d7bd5fe8c1de59454cf6a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 25 Jan 2021 17:12:21 -0800 Subject: [PATCH 172/304] Update windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/web-content-filtering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index b6d259a0f2..87f0151c05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -54,7 +54,7 @@ Before trying out this feature, make sure you have the following requirements: - Access to Microsoft Defender Security Center portal - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. -If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave and Opera are currently 3rd party browsers in which the feature is enabled. +If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave, and Opera are currently 3rd party browsers in which this feature is enabled. ## Data handling From a053a44b874e6005f1de3527aa9602cb8990fd0c Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 26 Jan 2021 10:31:42 +0200 Subject: [PATCH 173/304] 1 --- windows/security/threat-protection/TOC.md | 1 + .../api-release-notes.md | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index de8090f455..3b1c804e62 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -526,6 +526,7 @@ ##### [Microsoft Defender for Endpoint APIs Schema]() ###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md) +###### [Release Notes](microsoft-defender-atp/api-release-notes.md) ###### [Common REST API error codes](microsoft-defender-atp/common-errors.md) ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md new file mode 100644 index 0000000000..4a650a2e4d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -0,0 +1,35 @@ +--- +title: API release notes +description: Release notes for anything that is new in the API. +keywords: apis, mdatp api, updates, notes, release +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Release Notes + +## 2.2.4 + +- test 1 + +## 2.2.3 + +- test2 +- test3 + +## 2.1.58 + +- fix: test4 +- fix: test5 +- add: test6 From 7d9fbb1011a636246f5b8ee1eeda47b309177d71 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:28:49 +0500 Subject: [PATCH 174/304] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 7fd98bd981..0cf3df8758 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -45,7 +45,7 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection. +Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender AV real-time protection. Windows 10 version | Microsoft Defender Antivirus -|- From 930fc4dc29b48afbc9db8b7dc0d2a7c8eb9cd62b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:32:17 +0500 Subject: [PATCH 175/304] Update troubleshoot-np.md --- .../threat-protection/microsoft-defender-atp/troubleshoot-np.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 4bfdccfe50..82fcbb7ca7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -45,7 +45,7 @@ There are four steps to troubleshooting these problems: Network protection will only work on devices with the following conditions: >[!div class="checklist"] -> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). +> * Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. > * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. > * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. From 74cb283b850d34b520e224c3427a835072f062bd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 08:56:15 -0800 Subject: [PATCH 176/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9e49265a2f..d895dbaa84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/25/2021 +ms.date: 01/26/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -35,7 +35,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) -3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) +3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions) 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) 6. [Getting help if you still have issues with false positives/negatives](#still-need-help) @@ -131,7 +131,7 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. -## Part 3: Review or define exclusions for Microsoft Defender for Endpoint +## Part 3: Review or define exclusions An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. From 9570f49f975fab39c28c729a2aaa0ecef3cfe3d6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:08:43 -0800 Subject: [PATCH 177/304] crosslinking --- .../antivirus-false-positives-negatives.md | 7 ++++++- .../microsoft-defender-antivirus-compatibility.md | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md index 099dbc450f..e99e915192 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 06/08/2020 +ms.date: 01/26/2021 ms.reviewer: shwetaj manager: dansimp audience: ITPro @@ -35,6 +35,9 @@ What if something gets detected wrongly as malware, or something is missed? We c - [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring) - [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) +> [!TIP] +> This article focuses on false positives in Microsoft Defender Antivirus. If you want guidance for Microsoft Defender for Endpoint, which includes next-generation protection, endpoint detection and response, automated investigation and remediation, and more, see [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md). + ## Submit a file to Microsoft for analysis 1. Review the [submission guidelines](../intelligence/submission-guide.md). @@ -76,3 +79,5 @@ To learn more, see: [What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) + +[Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 7a74769372..ad505f776b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -122,4 +122,5 @@ The table in this section summarizes the functionality and features that are ava - [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) +- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) - [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) From 79733d6899e099c607c3c2cfac9b538d7ed473e0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:10:21 -0800 Subject: [PATCH 178/304] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 4233bcca90..93e3809c2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -93,5 +93,6 @@ All remediation actions, whether pending or completed, can be viewed in the [Act ## See also - [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) - [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) - [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) From c067a53cca66b8ef72f63d94c56a31f155531c38 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:11:50 -0800 Subject: [PATCH 179/304] Update helpful-resources.md --- .../helpful-resources.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md index 7d275ab90b..fd973e1a2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md @@ -29,31 +29,31 @@ ms.technology: mde Access helpful resources such as links to blogs and other resources related to Microsoft Defender for Endpoint. ## Endpoint protection platform -- [Top scoring in industry +- [Top scoring in industry tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) -- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) +- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) -- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) +- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) -- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) +- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) ## Endpoint Detection Response -- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) +- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) ## Threat Vulnerability Management -- [Defender for Endpoint Threat & Vulnerability Management now publicly +- [Defender for Endpoint Threat & Vulnerability Management now publicly available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977) ## Operational -- [The Golden Hour remake - Defining metrics for a successful security +- [The Golden Hour remake - Defining metrics for a successful security operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014) -- [Defender for Endpoint Evaluation lab is now available in public preview +- [Defender for Endpoint Evaluation lab is now available in public preview ](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271) -- [How automation brings value to your security +- [How automation brings value to your security teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297) From 8c381211d597a1727bfdf4afcb05e1874ec85404 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:13:01 -0800 Subject: [PATCH 180/304] Update helpful-resources.md --- .../microsoft-defender-atp/helpful-resources.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md index fd973e1a2a..88e26c2252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md @@ -57,3 +57,5 @@ Access helpful resources such as links to blogs and other resources related to - [How automation brings value to your security teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297) + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file From e3fb119c6451ff8e454050d406126460f245ef88 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:14:47 -0800 Subject: [PATCH 181/304] Update manage-atp-post-migration.md --- .../microsoft-defender-atp/manage-atp-post-migration.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md index 2cb0d3548e..efb39aa306 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md @@ -18,7 +18,7 @@ ms.collection: - M365-security-compliance - m365solution-scenario ms.topic: conceptual -ms.date: 09/22/2020 +ms.date: 01/26/2021 ms.reviewer: chventou --- @@ -43,3 +43,6 @@ The following table lists various tools/methods you can use, with links to learn |**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).

See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). | |**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*

You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).

You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).

You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). | +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file From 92f0b61c0674ae8e52cab1d67873b1ad9594da14 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:23:40 -0800 Subject: [PATCH 182/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d895dbaa84..217c0ca4ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -307,6 +307,9 @@ Depending on the [level of automation](https://docs.microsoft.com/windows/securi - [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). +> [!TIP] +> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle. + ## Still need help? From 66e207e995f7d51a6d0f8f2e0301d2c609cfc185 Mon Sep 17 00:00:00 2001 From: Peter Lewis Date: Tue, 26 Jan 2021 17:28:04 +0000 Subject: [PATCH 183/304] fix title fix title which omitted full wording (replace "Set up Microsoft c for macOS device groups in Jamf Pro" with "Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro") --- .../microsoft-defender-atp/mac-jamfpro-device-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md index 3b011e3606..73dc882a2c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md @@ -20,7 +20,7 @@ ms.topic: conceptual ms.technology: mde --- -# Set up Microsoft c for macOS device groups in Jamf Pro +# Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] From 99ddcfab0a6114688c9433efb418c6f987d0a1c8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:31:20 -0800 Subject: [PATCH 184/304] Update auto-investigation-action-center.md --- .../microsoft-defender-atp/auto-investigation-action-center.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index e929d6e210..0fb359840a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -170,3 +170,6 @@ When you click on the pending actions link, you'll be taken to the Action center - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file From 0ee619b4fcec0cb7011e5cf4f1e882a75be2b3b0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 10:22:42 -0800 Subject: [PATCH 185/304] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 0304cdd397..75f4bba554 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium ms.custom: - next-gen - edr -ms.date: 01/07/2021 +ms.date: 01/26/2021 ms.collection: - m365-security-compliance - m365initiative-defender-endpoint @@ -70,7 +70,7 @@ The following image shows an instance of unwanted software that was detected and |Requirement |Details | |---------|---------| |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | -|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | +|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server, version 1803 or newer
- Windows Server 2019 | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | |Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). | |Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | From 2b73b1d9c583dce0361b9cf4c9f953519d6b4f79 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:00:16 -0800 Subject: [PATCH 186/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 217c0ca4ff..9c411725bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,9 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution. + +If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: 1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) @@ -40,8 +42,8 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) 6. [Getting help if you still have issues with false positives/negatives](#still-need-help) -> [!IMPORTANT] -> This article is intended for security operators and administrators. +> [!NOTE] +> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md). ## Part 1: Review and classify alerts From 17d43cfd5707c0b32a5c96b5370503a93beed655 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:10:26 -0800 Subject: [PATCH 187/304] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 0cf3df8758..2a2ebcab64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -45,13 +45,13 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender AV real-time protection. +Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection. -Windows 10 version | Microsoft Defender Antivirus --|- -Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled +| Windows 10 version | Microsoft Defender Antivirus | +|:---|:---| +| Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled | -After you have enabled the services, you may need to configure your network or firewall to allow the connections between the services and your endpoints. +After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your endpoints. - .smartscreen.microsoft.com - .smartscreen-prod.microsoft.com From 8bfa5fd4bf9e6d15aea12d0cd09f0628b01bac3a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:14:51 -0800 Subject: [PATCH 188/304] Update troubleshoot-np.md --- .../microsoft-defender-atp/troubleshoot-np.md | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 82fcbb7ca7..79cdbc3b60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: dansimp ms.author: dansimp -ms.date: 03/27/2019 +ms.date: 01/26/2021 ms.reviewer: manager: dansimp ms.technology: mde @@ -24,14 +24,13 @@ ms.technology: mde **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -* IT administrators +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- IT administrators When you use [Network protection](network-protection.md) you may encounter issues, such as: -* Network protection blocks a website that is safe (false positive) -* Network protection fails to block a suspicious or known malicious website (false negative) +- Network protection blocks a website that is safe (false positive) +- Network protection fails to block a suspicious or known malicious website (false negative) There are four steps to troubleshooting these problems: @@ -45,11 +44,11 @@ There are four steps to troubleshooting these problems: Network protection will only work on devices with the following conditions: >[!div class="checklist"] -> * Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. -> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. -> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). +> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. +> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +> - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. +> - [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. +> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). ## Use audit mode @@ -61,9 +60,9 @@ You can enable network protection in audit mode and then visit a website that we Set-MpPreference -EnableNetworkProtection AuditMode ``` -1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). +2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). -1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. +3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. If network protection is not blocking a connection that you are expecting it should block, enable the feature. @@ -75,6 +74,8 @@ You can enable network protection in audit mode and then visit a website that we If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). +See [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives). + ## Exclude website from network protection scope To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check. @@ -89,16 +90,17 @@ When you report a problem with network protection, you are asked to collect and cd c:\program files\windows defender ``` -1. Run this command to generate the diagnostic logs: +2. Run this command to generate the diagnostic logs: ```PowerShell mpcmdrun -getfiles ``` -1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. +3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. ## Related topics -* [Network protection](network-protection.md) -* [Evaluate network protection](evaluate-network-protection.md) -* [Enable network protection](enable-network-protection.md) +- [Network protection](network-protection.md) +- [Evaluate network protection](evaluate-network-protection.md) +- [Enable network protection](enable-network-protection.md) +- [Address false positives/negatives in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives) From 1bf91a1fd859e054e58303a537815bb4cfbe4c00 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:15:51 -0800 Subject: [PATCH 189/304] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 2a2ebcab64..29ed5acfbf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -79,11 +79,11 @@ You can review the Windows event log to see events that are created when network 3. This will create a custom view that filters to only show the following events related to network protection: - Event ID | Description - -|- - 5007 | Event when settings are changed - 1125 | Event when network protection fires in audit mode - 1126 | Event when network protection fires in block mode + | Event ID | Description | + |:---|:---| + | 5007 | Event when settings are changed | + | 1125 | Event when network protection fires in audit mode | + | 1126 | Event when network protection fires in block mode | ## Related articles From e2f432e0a8799480ccf021609a4e9d178d294237 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:28:01 -0800 Subject: [PATCH 190/304] Update md-app-guard-overview.md --- .../md-app-guard-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 0c47055df2..576fd34c27 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/17/2020 +ms.date: 01/27/2021 ms.reviewer: manager: dansimp ms.custom: asr From e6fb1e9cee0ae3f6ba9216514805cddc6a1c70f6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:28:24 -0800 Subject: [PATCH 191/304] Update md-app-guard-overview.md --- .../md-app-guard-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 576fd34c27..1187818d92 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,4 +52,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| -|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| From 2cbc3d3d36c30cbefa068412a6d603e077350e91 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 26 Jan 2021 13:00:19 -0800 Subject: [PATCH 192/304] Update customize-windows-10-start-screens-by-using-group-policy.md --- .../customize-windows-10-start-screens-by-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 3cd4ad2b71..ebadfd9803 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10) +title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 ms.reviewer: From 8128755e7ef4ff40de3ec3af2895bcdd7ec59206 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:08:23 -0800 Subject: [PATCH 193/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 39 ++++++++++++++++--- 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9c411725bb..d40358edae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -183,13 +183,40 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: +You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following sections: -| Indicator type and considerations | Prerequisites | -|:----|:----| -|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | +#### Indicators for files + +When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. + +Before you create indicators for files, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) + +#### Indicators for IP addresses, URLs, or domains + +When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked. + +Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met: +- Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection)) +- Antimalware client version is 4.18.1906.x or later +- Devices are running Windows 10, version 1709, or later + +Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) + +#### Indicators for application certificates + +When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that you organization uses from being blocked. + +`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities). + +Before you create indicators for application certificates, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- Virus and threat protection definitions are up to date > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 9462c60ab32a5b72766646a6d88d2259a6688024 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:12:57 -0800 Subject: [PATCH 194/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d40358edae..a055c2e2f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,9 +208,7 @@ Custom network indicators are turned on in the Microsoft Defender Security Cente #### Indicators for application certificates -When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that you organization uses from being blocked. - -`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities). +When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. Before you create indicators for application certificates, make sure the following requirements are met: - Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) From 474099df034bf4f0f31aa59f9e6095a7d3208864 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:14:30 -0800 Subject: [PATCH 195/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index a055c2e2f7..f327f3bbc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -329,7 +329,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team. +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team. - [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). From 2c8970880b66249c95bf2beea131184d0857517f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:19:51 -0800 Subject: [PATCH 196/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f327f3bbc5..f32e43f1a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -183,7 +183,10 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following sections: +You can create indicators for: +- [Files](#indicators-for-files) +- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) +- [Application certificates](#indicators-for-application-certificates) #### Indicators for files From d572315a16f509b1a726b333916bf1bd4ef6f822 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:21:16 -0800 Subject: [PATCH 197/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f32e43f1a9..89da6e7ecf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -211,7 +211,7 @@ Custom network indicators are turned on in the Microsoft Defender Security Cente #### Indicators for application certificates -When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. +When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. Before you create indicators for application certificates, make sure the following requirements are met: - Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) From 76d679eb5918639eca7dc1cde370ef7ae0d35f22 Mon Sep 17 00:00:00 2001 From: Samantha Robertson Date: Tue, 26 Jan 2021 14:54:57 -0800 Subject: [PATCH 198/304] Adding art for false positive/negatives for Denise --- ...fender-endpoint-false-positives-negatives.md | 8 ++++++++ .../images/false-positives-indicators.png | Bin 0 -> 14102 bytes .../images/false-positives-overview.png | Bin 0 -> 27939 bytes .../images/false-positives-step-diagram.png | Bin 0 -> 19014 bytes 4 files changed, 8 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 89da6e7ecf..43eebf368e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,8 +33,13 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution. +![Definition of false positive and negatives in Windows Defender for Endpoints](images/false-positives-overview.png) + If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: +![Steps to address false positives and negatives](images/false-positives-step-diagram.png) + + 1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) 3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions) @@ -184,10 +189,13 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) You can create indicators for: + - [Files](#indicators-for-files) - [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) - [Application certificates](#indicators-for-application-certificates) +![Indicator types diagram](images/false-positives-indicators.png) + #### Indicators for files When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png new file mode 100644 index 0000000000000000000000000000000000000000..733db3cb46935defdc17fb312d25c927ea95f178 GIT binary patch literal 14102 zcmc(`X*^q7^fw+{)zZ=lEk%dhDvAzTHAQvOQq(-vaI0FOi7_H1p70g38aFzxVoC@atzg;+>Rp9_D;me|`FrW+r?>LgmH*XykCF*qu`yjaM?S zr+#cd+Guv+wuFk$+AF@eUZTb1^}Duh*WELBj_x@jt2Z3-CcNHwguJt0tUZt}G!mM! zDjnqnzni)%4e2%^izbhp7fKz=N(cE=QBhZ9xfSlUE#_J2?)&=NCsSrIa-!nZPBGy2 z<>P;Cx2XB~-f;<0dE)B-uQz{~`HZ|1Y?8@?DB?Iayoj~Q?`>x@gcB1?K5T1jdd&vO z*uq$Dk-lZ8-xP`Cy)V5lHhPtgDWyNdQENA)mHAwYKkho>PVk2 z2p#oedkQ?X*VovaD;SKF=z1p3HoUjw%S2$_E!rlRu8nM(SNedL?AkNEmsV9MUi z+Kg_CZbB!h001#>hU~;P9|jY*gqKX~ofS*8HW$ui=gErR^HZ&GPE-I+d}eB|&mW&0 zoOa*rPGRPB13xWRn@6wE+Wqv4Almbs0ys=H`p0x2v<0Mem@#Y$)XClII6W|g!~&}ZBuuq{+Ziv`7Q#B~~P{VHfibL#HOkx=U6gzvmm+x#g%a5Ua&0&A97| zO5FL7LgUrXHTQ(yS2U9so)Y1W^{=w&(R~dGYF-GxsQY7ns-4-4FF@jIvfR6Sf9AxG zTdh4wj>}oywQYUPD6N4Tj~Gids^psO?wD-;>+bV^6^r+{1);erlC^JHPdtQ|cUno?kc39_;SO-BEm^ zP8J^z41Z$VGoSB5?v1y|3eRmfU+B#RAZHg1&RwRS7pe%q4?-#m!;j@d+t{rDlVT>E z`nOm4X)qr$GB$J{s{jq~Keu*imbN#8@g}~nCMtzNrm~@J!UJ4Fg}Z{N%}&*JVgz@R z{jr{e`(>YJUzjz;3NZj2nRCDSqwkj}>#QAF(j8L?`2L0?5(W6}jc(Z3(REnk zkCLWL%a-5`Px?Z4D*~pU8+K(ahZFBG2J@utrA#d(Dn8~V^xSto(yhid<24BiqnpVc zqMnv^(rhM9wG*4LzP;eDBR&-HPBeEFO1@)_x8S<=A$+>YEdU z0^AI&f}9Ieln2{4dJk;{u_jot3&V!A)n^&K`e#MXtLlb(Y>Lj8LNI>a*d@~K+zta- zg7{6Tm++o4qF_g|^bujMum#2IdeZPC0+@W%r~0pVYi!iRQTqIFiqwy#hZ$Z->xw`|B4sIM@dX%vZZE8acXhi zlB2TM*G%hqQG4iT60{k-*NMUF?T0?LUAe?Ap!_Wt?vr0O^Buoy>3x4qOnM~ug2bCx zUq*G`LBW>(3eg#`IF7F|ZTwlUUGxl7`>OAw!FVXC-;4z51U08qv%=5srVNAC*A#Dm!r}_N}ayUpu9lIdGoqZItx8 zu-OIK>Jv2Ln=AbwTgO<>W7L`>BWBu6TYfm~%4~H7!~UvSI2V+p{pX@U_vT=-6}z!h zw_^jY5x5F#?Eju&n#K<> zoS}NV|EY?I{BdzL6ivM#x&m;?F#|qGXzh)wGyQ;M$j3-pZOf zaOs7W71!wlGQV-FMGnRbo)o17_v zLwV$-!KPJqvA;0#YI*!KY6*;&D>85!{ zY-v~VOIK2_B5}R7S5>|PHbdkbGqtgxaPn`VGdO4Iq-(t^L#Jm7V|RhE^UodgIqVel z#dwB-rP*9#>W7E*yHBks}ryD+;b!`K^3x>O)Ub#QjNmjI=6^A-ACU&Xk zoaNow($!RZ_`<8rUlibOi6K8+^_2V|n+lW!W|bTtc=2&V)opLguhsoRin4be4$v#x9=!ahj3TVJZ)=efJZ(p8XPH9?F^OPZPz`hg-cI!)A5O!NbjnP8_@PE&WoI%9@o*5$Gk(C^)TNu3m3s{?bkjKGc`^9e?MMz^o32tD`K)C4KD`E<&HKqbPX&^sUbeOcuhmAHz8$f0kEdY1`d4Eqs#baj~=o(730=4u&C*w0Qmy>}sKVXEig`i9W1)^=%`O5Wri*M|gRBE{D^rS?gRcUmU zvS3Q-!p~*}D7hbXG?-UcJzF(nhc457hjJDxoMElG_1L@R1zw9Zs@Vv@Hie(>L^H?3 zi$?2I-0Egu;8?k*JO=!QOC6UWakDRka-)3=o^JhktVBaVDx}c=U9f>g;Vj5M5!9hv zzC-N--%EHJsf91u``gYXoOyoIq6TE(nat?aN~%jRx6zf~u%ZlWK9Jf0rd`$@gH({s z?C4JIi66dH>^thz02ZJI7q6fD!^|42Y;nlJYBc*xZ`d9Cq#;@9esbsSf4qoHt3Wq0 zzOn31Is2kbxy*nj;+JoR6$<82OuT4AZTRS5K9A=c4LC}mD$^14!->HO z?8?@a(@k!9jHOl91+TqDNlULdW}tz!GmuC2k8Km6c7E@YmtwcVJxPdJ|3g7&i zI=F|_{j&N>mM^vH@;APzZT@LkNG9C@MY`WJ_$zMLAMW_)fcIF5t5Q#;zrq@)R8mwv zc4xWOA&!Ew!ar$h;O@;I?OFRNb$u-U^h;qkqIuovEs#<-XU+wU8vfDqU?s;p(ZcIv zdW_|h zJIsv|`R^rn^Z7318O7+Lm^S%}B(-iSI!sv{bnw z?~#>!^f!A?R<$#cKfqdr(Hl+|3k&!Iis6Lyv)cCLzDP>VnczRH6@Pr{%|LT-lUs5+ zVbaZM zopt|^5Zj$bM?L&XTjXLDh<@&U%ZNUP7r!s#6dn4C!7WWSy>=-RV9NF>)ta~jyj@cm zcDGIXdrMda;5H?$Mc5kFye@4^@zJX1f4KzJ2>u5<)5>Nx_s7QpDPpA(6tVch!fr$i z4*X2k0_nwk&Rw2J-=}S^?tJEqV>>>+Up;HEB1I1pRsJ_}rhI0A(_lH~4UO0;2FZYL zyPKWSx$E)%i+IvVWIBd~NeWguQ2Qop83~KNJ3OqTI&d}1>j&O@t-+FF_sqgpzEn#| zY6n?KwW}g~ak8g24R!*wNZC1lbGLJi&RSz~!x3dGCM>2%FO@)5&kXreg#2AIFPkp$ z^U&osCpxAXdz0C7j@dk*C@p)7r1bB)bqcq8kC9=tC2SWILfUbW&1fXdxhu}-q2mO0 z5_v3Fw7TarvUvr~H*L_F=Dc(-k=45a=}ck{tdbTuqe;UTZW}^!pCa)1?+U<&mQ~go zo!k@dwpNC6R(fDSNz(0j zeu0gL!+!jpG(T6u9Bn6?iZFtX%w_&m)9J>Ql@O9WS}hbakoP~-xjZTyzJCZtXI9Hi zU7C;L?H%oknn~=~F&ZCM*m+1vQEKZoSh1GyGC^q(d&=e-9qd1xbVF8d-pR)KXX%{7 zdS~dyaN_J91(FyztFE%vM6K6pFIBUqkrUMNJN<5%iefN9M={wj54l+HI9O3=wcXy* zvk1j2jE>JwufM{5LrN8uC1T*|H)9ZJn8~G(F?IOfJ}A#4Rzp`bTSsV{{Lr@?&(PJ! zj4EdN?7n*BR))^_@;f%aV*gqpb?N;wuhJ3h!gj=Ip0hh3#aKGFGL+wYGuYC&xUp&R zele$yQGvRTYk04;e60>V65ot_)Zh@FMUux08s5qL20B*-!>zP^Ag;^WQ2O8iAOHB7 zR#BbB$-3jv1vEQWzfNZ$R)Bc72`R~+%M$hQA}q&n%z)-+W*lgxnCuT-J;d7V4X)%? zUh1TSOAkWNuo?%}Ocd}0I!+EnhnVQ7)yVOIq{+_@)Ae)<_j&JBIJ};CZfCH5W<*98 z!u(|Tf!pzhZ7={Qv`W-r1)*lp6t{G4=#Pp{!$A}9pwH;ibx#;+8S){xTA}+x(z(9R z4GM#tV^-Yb?1z+ETZ-UZ_`sQ^>ep^WodW0xX!Dr9UXo#RGLqNdH|xHDGILs3g+6ZY zGn;w#Smk*`^do1&jWTgdR(Q0h{C+~NvfxEYehAuk%?nJE#VyVSI-Xj*#v*K#9zyhv zOI!l}ObZpmq+FA${J>nW*CuKId$Ov?89qx}s6ARJ0uU~ARL(~B>Q_CQNc#}d?0d_( z8uP{G#Fdmv(oJiUMb-`|@3~&@@wgH_Ml<%oW3%URp{92amsIwmdX1Nk{HeZpE@(w1 z>0_WrD)-vw$_v7gYtp0=0glDR@cYT9p(z>zqf3<_N~p3&>f}2Yov!^SX6`qBdJ{G% zvhfrOJ(!+|m6q1Wp{mYE&_eC?H31}LfCJpO<>enxZ%5u64iuC^emB1VfMO@KZ zrT?ZCU#u*vGgi3*Il0_E%l7k>B)C1wSXlpI4*WbgpDuT<7|Oen94PZs>q_^OT7^58 zIlcA>)$USqCG_mH%+cIC7SwWh+&@de0L|wn7OCzpJZu?q9wp6*^5t6dl_GSl-5gS+ zGh*G*0hES&L3nv8YnhkN79gl_+W@O&_}o6{d%s#4`?J2kbcg5Q?xo#?FA*|Nb|RI; zvcg2}Lg1FLLD5FHI`GIdhMDuq>(CiIz(@M3v7zlkE&zDyq7AU|z1mOf3100+SEMMy zF%;;H31}($AMU=f9mV?erEKFX7-4fcBuW#5Kne%Z{efJ~rsb?KtPo%!q1@csU z;>Xsr@Qul56WsHdR8_hAZ<8T2!ZP0y#0xUVQv4Z&R_TFX1-D)Lcy*}C$DD-#8U)0< zY)(fk+~!=a3q>nxTugl8;qGj81omaw?iIqd2+aPhVx=4U!%NoAJrFb!j7wdwb{nG- z=rt8q@M`&mQM~@buj)sO?w&^M$@)$dt00a{_-52Lal&J-kqbA(;+xle#H;uaLb;xH zv+$IAakU<*Htp$|Wx=Tt=`0&cNKMkPp4t>IqElnHd#2oBCZZ=9!#wipT2I>L%gHT? z?u$OSSA7I7BNBCGD(;+UkpZ*(|Z(R@DmacbXdIV>~3jGQ^O zRB6vt(JHFJfHL&dk~LoS*;`(toP8Jk1&#vcMKCT$+b^9-_vo5#=zpK5-i;fM+JB$G zE5HVLI9S>&m?-fC`z+|XP1JnLoW51aQynyeyPg>s^~gL!F?f~?ez}K_NLRXlsJM4e z4019fbx&T;qv6Kw*;@r7M(**AY}=)Doznu(@5AMiOXczp>sEV?oeT8$kTF3Pf)DBOO7MkvX}A-vh&ZA8F!}`Q$BDV@JUk^ zosY|2bkf zWUtWy5kbUTY+zL`uTLch`ZaY&jdA;!#b_W;C^}k;<{oFG_ScMyn2T2}xv;T!i(eS3 zt0#B<5wQbpliBo*Q)a;b{pa7KYX9-oC$7CF*6#c7fxTv%gEzKW>$7%$@!Su5dmtP0 zv?ua+73tE+_cUCf4e3be&*qTbE=VG;Gq5kk252y6QZ&H>lmjJsA@e20pK*0N#W%$6 z25nWNg^%s`mrCaV)G|#a*OVlpesmdg?21Eij8}FS?Ru&PT zkKZ1{#j;278Ma|DPfq+$(-q&4%!WRx?o#9h(ZIOTI%!v_#~NH6b&=LQjEj3tI;+B`-z<;E$%UhKdMW<3+dbjP ze}wMK%lx@QbyMkOcGKF}m^S}PfgBL4F9a{9L*MCJXG#O0)*c>ePIi5NLG@E zjcC;xbmKh%`n7m{dZvbo;7~GdR+c1shSHI1OHW+^0XoDPHHz2Bl1szNhGG#pkmt)^ zUQ>N{hu=jveFtgUYF{pt%X{m&`A*PBP9DvxM3H6s_R-K*vtrrPWnM!6;o1P|aEI3x zpIV$jST1V){;|>-HzJx$J*$~6R4n)|86~oUhx5wRev+qLKcHD68JN-~WSd&TfXfd2 zA!RgLHDZ|>(9#6Tirp%sZ^SP1O{2Z{|Dms|t6Rq+0c7r!+SX;{HXq_87^V(ZaI*p` zZ!3Bsf+Jb(^ekDU-=8G<3Xg7`)P>(}5G>+rX7pJgsa#--QZaGE0!IxK^wBb>jSh6JINFKa@0i5{vK;N-vM?UvJ0Yir* znbLzZ;NpeA75vhoNvp3vP;xoCf%|+J4dLI2M1%zYY5u_Kl1WC$Mv1%Zg|_nM%uO30 z6OVGCgC7Eg!6X%Z(7;xQGvTdj@8=_htT{Q-G^b5O8F|2qh4%i6qw zHHh3lo-o@qhk4eQxK(Mq35-d!XEiMhRh{rat_(0=UFdQV+!3h0Zy{56r1Kjw)VSzR8&qB00VHBXn(*C%A*s~>6! zAXNaj2)MTTs~c6fezt-?S|&%h{9|hsM?_wUL1VfZp!GZXdqj4<`?>1d0h6zg*UVd=P5n^{2a((jWiuO}~^{v%j5lHgUs?rG{zR_#J(Y zckkQ%OB$WUQh@`CYRw4YFSPL2FsFY{aiSY%;G+2`v~OA9zasU}EQWa9D6d*q$SOoL zYrY>Tq+h{ELUC~=i*-U2hEmVaR zE?A93yR5XhPiH?q{8R=Ilh{ixSrmD2`*{daxH@^Q+Muaw(4u0qzkBW_Ai90IgPCYJ zlWMQP|C&I9;KB0Mvd!Ygfr9FGCvP#mbfJL0wRzh)S4YUacxtl(H)hE5P?X}itShN* z>p%qC%`tPnjwh8gs}m4}O1eZ(GM~a?BpEGcZp?veRb?*}R~js7*9As=Qd9-|F zc{^t*Q2-zwoc0pVDuxX|ujGmiU2dvyYC&enX7fZqgposxOR!Wi1LRMYjhqgs+|2AK zygxE}OSo2T-g8(?)X;^^kjWS77!kOYTwbWeFDm_Bl^CiwZJKC-Uh_pQs*s9FdHjW8 zcYn)GA<^Le`8%@-m5ng){B3h%b(5fW%b^p^v5jj@?A*qhjuw2w_?&rQEtG|VFuHQ3 z{#ut_gvV*~y$`AY4jq!5uVOcPBA|<)XZnzTJ)fo#kFs>TjPg9>&b*F|SZOj{9rB@8 zTo;ShsE;PQkG-uV@aLgurrD?n05eDb_59Cxmv;;g4a~OT*X{rXg^DU}BYQn|e{}Co zgqc>Y{(9yay8QQ?)F&5d4smk@TdXFWGiQo$X#K+quur140gq)yei}rw2kzShCA;?C zc+~#z@G0)|6CH8`+Se#SxqwT_f(frMif-SO2%9-i-H=X^*%d&l%x6N#+NM6J3@?jZ zdNO0kYLM!ic|<(t5iLB-YQsCjazp@3TK;+>8o$U>TA`}flgfAg$#|Up&v~frryu{E z6Wg59+qJhJy*bY|`MkJL^R-vyD#N#wkTpAQWr-6t`w@H5h3Rb%n|$K0N&7TJC!~?I%caHK#BUjjr~6z>*Q!I0WP=lo-kK$ESzpVdNF&U_a6FW``zNMO;DZ!Vnk7U zJLP@z-|dG0hxYxyy?JLu7Q9g1}5RvpeGZLh$~YeVJiTJOuZMAg^y%oINeUZJ+;29Y)0OUjHnuc4PH_`Amwg6;)wwmGxxl+m zO+&b$5?r}?!EJ|`+kp17jBXNWt?gwvn|f2YXoSk}jATwnBTZ4dWBVNLs^IKdof(Yf zNY!Gk_;mefPovd~M4i5=Ren+$VQOVAngP9&G0VMiC2!1*z~B|JTURpr+!{Pol@)T( z{9XbVXdgM5i;GaV-eRrygwMbjS*w;BM1S~Ob|9l78QbU4Vr*(`bB~Z5*FS-1Zd-5U z0!2?5%=%DBHQh^fNTuYZ;mss6H3Yi5HrK}xa&eTAu-TQ&#e^O=HMJz$D@__(INx&u z8x_>~{9>5@RM)mK^@JIB7e-k7o3_?yBFEB=tQUYnGUqp0zkt&{K+{9b;Be84t!Rb-p|RkL5rVSqki0swaMM<|L--1x~bLC6Y5^ z;N4$mSRwmY*cql%Es(m}FOKNMf;GU{!I>~tbcHi3bTa@|L1sASjos5Ardn%%BO7sk zoRHgTmnK_e2}ffX#e>i>IHO|W0OLtI+qcek6XZ2tTxN$F;C!edt{`WMlAG*QTQ~j~ zcSK?BdHXWx;XrSnutug!=opD_312`K`n(T&G7$EPx{6BsvTBCN= zZ)&5JFVsGFA6$hn2hw!6FM0+0y`SqsGNUqzojUWy5mI(VT4ip&?skUHk+FL6n;Ke= z!_LkdRW?r5xD^#LOZR$+&BKs`>6>;Z`@-$Qe&y+KGdN`RSed^W@w)dpSM4c|R}AKC zkI|NqR`V{sYL(2~2CdBDgCs zCsk}FizRBA%sjy`T9PRd3De@)ep(Wr?@Yd9Sm3D z9dX#a0eRj3Wq!S)!t-(Ig`c#t?p$@SZvZGd@|`s<*@U$3+J%n*FQac_P8vJ49qUdO z#noF*pg(`Txy1_X#?qlNMNcivS;4Izi5Jo7l=MwP+AZn=^L(@hv1T(Ofn4!7IR4>? zS1mh$$4BMSYlRcWD=)BDZ<%Jzel0AyYe|W1VcPMb98!!I8KRYw(}e-M`;K`n4Tb#U zT9%)+T1BAgHFas zcD!2uccUYOnBQ;5jEVf9){Y9h z0AH&pA9-HirQ^%GxyC3}c2vx*OamX3`;PfaB(H_mT9BOog$OxocnmQ>%xO3eBaR`9 z(hyLssErqt;Z%Z`=Fp=(yUPRKW0(*Prx@%^N$quz-2|;TXubhl_FeHd;aUnt^0RJ1 zLy+Y&cHT5S)L9O*0*^{6)%rT@t)zcPmRs@iU6350= zm=*MIwsV6Ly)-GiZ*8N=e^^(IT- zL-Y$UJo}SGM4686#;|nfp(AMoHc02Y9eF~0kpb##6Bgq zF|z=x1uL{aS}8MP7lZ9a!cKH$*pStJhbihhdM?3tj;{2r<*?rf9;CaKUnFJ}GnWKQ zPcFiq-2TN$_4Eph@KjMW3?I=Z!(A-gvw#v)Y(tYbY;TZqnl2&W5Sksd_nt+dLkAWS z&DtohMF}=u%oGh4&a8J8b~&o(5@?JX&1AgO4=X`Ys#mQ@tvY!fy7ZH;I2(8K@KG^n zVnG@T#R>H!y;%b(4l4pz{YenYInQA_#(O-%MtUI^b<>J*ow@Ndqqtl6 zDwDAiS^HQ8?G|2fu7q6md(qVG=17|kT!jJk`3JE+Fj{CK*EHBMk1;H~?f%Pc7!7am z*wll<-9Y&8g<;%bQxT2xi%ODrzE{QmUES@umMB`Y0jF<5x&CZ5iDHeK#WObwiHIeGQnY;VX79+udYyh6m0;ROpp zW357WT3uxr>da*0@2D{`4A+iS({XmlMD-B}MX`2Fcy zUy_PZI>FN;tySs~KPZ56oS#%tnmDca5C>zA)jaCX`@$H1m4kAbB$e`ACz`dqgdpgPzjVdC%|H3ac8raNq!(hYnt{O zR8*KDA9AA)*7e4vul(E8){#s70aTLzKE;+@@m26CmOe!&Jp%Z2$p5=nImN_ zHRG&&7WZZ++&*Y*&2jw;{ESaoD0#t{F3qC;p}Zt!`Bg~8%;Yz!B#VZ-OBcTuR31kO za_D#b__V+`Kk27R2d@a%6Cbn@hD6*V&V z5|#=L^vs}kM3P+cW_=Cip01~_9aD0MVLQ3gul8mBoS!T>mJ`NlP4OfKxH09wxurKm z_%*l%s(fPQ+iO)e^sM7iUlIbHnbAmRuD<~u#?Jd$mSSwWt7&(U6{tI7-xs{~NS<2& zk^P{)^_S%Rl7tuO?-8QB)LTuf;hQsWGA1^9lGEw^R8Q7R9u~dP^^#-73g0{}N8>MP zm<&T^lDWs|5XO7VK*L`KfBM7y4YImdHbxOm5C`sOW19>^Q{AbCzKvj{ zrXV$Z=KYj1GF{hs^r+*YA$U=tWWj#Tk1exMhWR{3t61nu=G=nk(;bubTJXVwU>B|Nn5CZ)FAO%>lWxQngF`~Y#UOfO-t zFSeD}=-w}Tse5U;@T(Os%~`=hU9xNQrCAF$=^Dco9Id5R>opZj)n^9?3a$Rr6v#;3 z1Y385M5rS%Bn7H2I=NAXQlmenBY*l5m4gtK;R{y{$km2LA-9-82{@&;`zDooUyN;C zr*|aVnXp4n2fp?%;|kjLzKIR)RFjAhtpP58d0?h?kPbi`%F|XfQmd0p?~NJKPlqZ7 zlI2pEapeb(;9h8F5n?-`9+lSDbI)q}H5iXfri^*)X)r$OW|@%wegz+2T@lkC`KTT1 zW;pqx5?U5yH&H6?bAt6;&;~o@a0|rai-Ngv9cVW~icG3yXQpv5%tmI)TCK3xk+2ER zOA(R2E9vb0gNs-7bMeTI1Ppty;}|YnQ0$~%I%4ZuXs8uf{&7ItgSFuXAE+_O!YtTE zj-EVc#WjL-pONcpTN&)&SJGlymF~o-;qTT*y>$OHI`DxdQNQSn#;Cu;o`wDqgu7?$ zF!n^Zmf5dWu*)1ygA53h3lzKe;=YA)Y5}8TDBQo7+PS6-CtKLW53T{E5brqcFy1x% zl5KR>s^Tjo{?8_5i;Du;cE7)fW=Y)%lmDIXAo&^t zYT}PN3sB7;v_Jh2xw4GqCcyT9)U>k7Snp_VjdlmQu57`0%W~?ik!Px>hSX>c3HW}(?;vm#2P2o z`0BN&YYg=nXm+BzceVX7%vJxiHsOps2cQ6!?>L;+Bpt*xlaHx#>xXA3-;qHfj_q3w zrANgIe(@yzkvH#&_AnH0K-ZK3+>0NdJvM2aa#AFZ~xgj-VF;^h*zq5pe3ETOkn6Vx5;{qnzcQ<*um?lX2`u@%J;jy8HeW+st$6Ix- zaLdp!>ncJ`- z9D=IrP?H!M{F)kCm3%D&legKbEL+ShF5RYHULpL2^{=^Ld-`?~>thy808zp(~F?ki<2s;2h!#K%TRu?WwX z;yP-jo(N_W8YVurdXnwWVj=n-eIpmy{An4H_^ZmTm)E5a$$OVN4w=1oOZRb3b=8Qm zqKvx`1KvTz(9n8oB;CWcf6vL)1>Mdv@DhK-s|lPf-yfi|1bITh%A^9}1#HnW&A^{h zULWURftFcyg#XmzPZRCDidnqLEzrVQ2>!V%iRK>q+&48*Mz3#3z8o{iUNWb|(yHL=dypWD zQwjP{2c2~uqLDf6RpX@N;MVmgxY#fg7bOA7hc&tFUx^_*TnIOEVPAS{#^v7OyY`NV ztk}D-Zu(kXcBl3#rrGnG!}hK!d{?C)K27c9-W<>e&*~{XZ z3Q$zgnAq8l!`{4fDC#jyl;Z@h>TZ8s_J8W@38{TsQqBLy7WRU6^F(h3+`eIbz4EGe G?EeBWzMVb* literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png new file mode 100644 index 0000000000000000000000000000000000000000..e86ad1454deefca58b80b4c04d171bff693672e6 GIT binary patch literal 27939 zcmd42XH-*9^fnqrL_x(uQz@dNKp-FrN=K9yr1ug!BE5#*6cOnH2_U_NmJoWcDn$Z< z^bQJy5UL~;L%j!o_g(jX_Z%HtX>ZYjK%mP? ziZ3-mAgcEu(3wvc&I2vGiP%iw-$fTi19uRJ?)vH9nZcRBLlEc=Na^KsZSS# zhkIN;ympVXq)X|7mFs(lj~CDQcd&#CHeT1?#l7|_M>f{H6Cq&Mdo z6cm`B-)FQ(+!zXw;wT!KA*2=iuHe(O)Fjn())n4*{rN)Balb=0U9FXUN~>lS;SGqtQLbBkqGbCrduIn?C&+ic-p=8={15 zk2$|%{O$?ZSv20M?&$X;X8VWOqd617A}Uu(=CMixrBzZ)OQN_ZHE>7aVXO3^9z6bgYoS9IWdGreLjdXkX%c}67>X~pUiW4+tuc05j{1?|@jSfzh8gt@ z5J-g1hxa92R>qzed!YY;bblZS6g={1j5pV}$nQBzW6;v5^ik6M8)}U?6XScl(JG@~ z>eM4Jk4&QOw8{%Dy6Y^~Ff&8G>w#Zs;kVmQb`lciRGboN1tySt67(ru2?FdnNU@Sb zC=)VuX?R)xm9lI13IoA}7t%4IErpV}NKhgc_cq{6!f*x^@*O5y+-d_Bug7q2X4G$T z&pGlXqefImK5P3s*+BQc1?_}bi1L&g{=A!LKl6?Ws%GwHABEMKbevK%*@UW*QN|l6 zImEmV9v?5g-=~D$*w@cfZj4(?Izm^fex94^tRBbD?^o>FqKrqXv)9OvEpp>?&H)!X~4!1Lc}h!;qA+9*d?; z&APpm6-_wPP$16n52~PwlTFLN+#y4=CS#7<@`j_eOJny`!s7R-SIAzS{#+J4_6MP2 z{QO@>kp96B`_&Fh?Mp7z{0K_2dAoJA>JNr7F;D>t%;wJXzCN`;{9O5sZ2S2hDbM@U zoMnvV@8>Zq+8x%TLsgd9*KGMQS+Vlp*h-lp%T(RyfuQJoael`lbJDew1Z$}Sgu8Bx zG1ILHy|fDUdVgg$tU*H)bWQj1iyl8wF=nv}cHU zJyYqahJFc$=dBjc7mCd$LWEw@EjYlja$LX@h3I??~-3@dyaH2kZFJ|m)LJiYmURbAK-tIp{Ky<3H4~{@w~C3Uzc!g zCN`%hE(UFRO?+C6gHhM(10rKS5-h{pByO#Ob@x1ptSHP~sB-fv{Mgr_nkDwKeCRL2 zep(BkEffiT?({hvLApIi~Ad;?O%^}QPKcw z>|E-e3CsoCCmkvjXHY-5qRuUacz$Y29*?npMf|wuLGz%G!y}Bl?_RIM(5jfqhJId_ zqW7Xi?RDf*)62fV-Rb>J&jw0b-JmcRVr=}Pc1BK9y`RHe@4d!u0uB2?TTg+LY1iY> zL*kWOl70%!$b;sz!o#|N?<;1D`Am9kDnl`jYiTR31g-p^H}#I%J^4OM29*fZiWpds z{J2hLI$>4zjT*CQrj3tzor@c5(0PeV5pu;Vnzs6n%D<)<^)uK+=~YlB?ohBz_%8`7 z_2A0y>M2R~+Y$rSKH~OZciRn{A_)S_MUE2H{|a?`N|rWp6-#kG;1hH$D~jbeI6X)L zeXFnfO4mFK`nkyTwT2G2n4VqS7bjLsNn?g9&M$j&xL;UEyP2yRC-zjMrnm~~0~?KB zCF7j5^XtWvS6~~FuAE3YJXp_!B*IA{*DJfqeJl8OL{>7_%y+m|%@2=S73+e19F_L^ zx#0ixO-WI%Jq0S-E&eA%VdC{h;YR5+T$ER)$o$TIO--596$g`!H%vEEl67A9>qO(s zs&Z1LG7NnDcrVNU6`c@1am=Ld#AiF}GEsv-Ea#i`FXRe8fT&&*H>*$m+&!aY!{zw~ zUx9xHZ|WPV01t@8_XpVy6+z(dEGQEw_iMdizjiQpvDQt(jL#R2`r3}BMBT15q!z&} zV{N|p%AcdIR;EV|SwqS|YJO3oYZkDi$QZ*2OP0E#~$PRF|$_s9M}= zF@gJ4q&F%4=qAsTeC!>=-Ej;iP)#g%b@i>0fuuEEp?UT|jfo04qz?vVq=in^+g~fy z*1wC(izyl^rMtmwKCm;JE68~McJZR)RAAJMe2HQrMp(te@u?d{J9(LX{DCu%y*Q=i zQ)SJ8=B@ZK+=p5|g9j!v!Z>v|#$8!RB`ysNb1H!Mqo;idj#5qZ=32hEq|Bk?KE2BI zlv9hSt?s=eJ{JbK8lXhAO(t2b3O59zRf_Muj`DU_OhC9n&9y?>T#wiAAiKur2Tj{N zjbiSGGGB9#1|oiS+|4l5&TYvRqtl`Md9d)vR0Y33yizqcckGOgAu|%5`%rm4-V|Yo z0rP4(G9`rnZmhb^b4K%STJ89N^CTS>s_{ebNqSO4O&z!1N}9ik)eX21fv!Nm2;Inx z{`9KyQdaVK%{+T>{Thrsw{*INLEli!p@MUCnFNWrb*Bor<7OVa}kw{m(@;X}8ikchlk?96IJm%?2 z{prt*)WaB|(w(_J+2KYaiHfrcwPxOnh-dTFThn~&4|DuqPOeEN520odD>8d|3xx|s z^~gC%BD-#i*yzKIOqNY+XP$(lv7A4FzFZyOL$1{O>j>%b2j?|>4B-+pDehuL?qO)_ zYC#c*^LH8+TYD;HwmKzp`GA<uZ*&@)1ZNNQ6gd_d?y*Y0Q3 zS9#|W(9o7614JdsRE{O;6~{hjnE0{p8o5t9GBP27JqQ#Q9{vBHg);v`T!f3crx25t zMfz{boit4UM`Eb|;l=;Qqq~A1DeE(hUPG@zpwXy>uGoT-k`mN~BcfW6*o^l=^pk7A zIaEUizi@{t%xr= zCcUwE$N5~2qh(K)pewA;KFyL6YdxR`9Rh({_tUzk>5ouScw{>ut zsy6QL=Ym)JPVP9uSnKi5Y>$x5_dO_cVmf^_w>_W_kB>V-cRPCc^c3?bwEbz{VQ1Kp=5_d;N#K{SF*j zX&O!jch+${qDNCqG~EUMjmFdUWO&5AL^%(tA>l3KZo>(#W8+7OBVUNb+LEiN{iyY? z8~%_;EY=>&5n$xmadTCk*x`?~8l#M}8*@Cm61wAq@3vjssD%r4?2kMgbyiK79w>R1 zU+POf`YllpL9f&mV~gi;n~m{}4(Y60O+612Yx{`$Mf`*()sM7vTDfYw8{ByD%{-+# zZi_@+Ny1&9K)6b;bCE>xBur;^>N{ayV}Es{vq|X`5^1~h^FlqJkq==rb?)$WuJ@Q} z&{6w!n>`sG&2snBYkvXPnC(Vnlo+S3#2R$@8Rk>*&^@}mzHUvgSs#K5RwGP_Eq$+v zAerF4KU&>laxyghj#wtOBnUIUn~Qp)f_#n)C-X%9Qjj9Wb;I{dg|?l$e>EL$ahz-| zCgU_+7p=+RYW^1DO<1pjF-W1RK&?bg^a+3}ta%<@>p+*;?oUC|i#d?>#-{7Ot4+6! z;^DKdh>x_g*q258g(`(k+f#%cBO;GBQMV zXE3{6W&G-&-`}S8GLT8do&)*OIwQ`iFi|Cuu|})C=3#`M*4}h@JHa@{%4I4XLTnjR z-bv2y|DNyp6z#8LeX)n;6nr`#BF4!cy-NU_QlKT?D<6qsq19ir`*gIMJo?hrVk6Ms z-sD}yk1EBQfH8!##g&C~8&yOjwpMIpYwx>3Ju&DIW!O1M>mqy*;S7GIi^y$?pM%zt zQ8DJd&U|BvQ-7!G8gGT_OqTZzU;IHxUJ1Hg`}Y?i0sVfiC=lM4kWrf`<1#4RLtx43BLtNa*$Y_c%d`(lK1ELN!y*G<;Id)c-ovW)vtEMb? zDM;j~!fdZ-dOYPrKIf5!LGTw1qN7Gn~Z zrjKf&`6BS?-C4g)zq!=ey_P){J}B)yRAG#L2l4sWE!8n%C)tp7@jydp_YSu5AFNL=%H@s%Iw$;7aP$dAbfj7gv&|mrN zMy4Os2fU(U<&wkP2ZZZqmg5LR8#BZ*ysoE%@~jtM)&1Sn%~oFIZ{uhgKZTDoa$3c8 zx1`(-f%e zs*BV@{IJ$a={K~PC8+i)(_%3?>p8{j=t-C<>5JVdWE=eacVD>J4@a>W&BQA8w@e9t z&fYadR@zw^LSy*uSJ3*FU(0@m@%E{f3_w%iW1{)NQl(ciFmN~N}p)Ynru~IV^%ksHH{Nz_KefIQj_f2YcArowz}Pz^=Pnmv5u3;i=Xal7tf_N zxM`*ZF4avpF2WNDsxbrs-T=v`^CAK&{Xg?P$HM%}3_V#z-4@&VuCL8DrxsHszkLyQ zr37BSK2_@s(rm-9N(cJeI(cOtZx;+jKb=*CeUYE%r*GKcx{&&o!Ino#^Xinh5NP{L zN$qUIC%5+hK=PkwN=$g^3{BndoYB4bA4o1kw|16qOuK)RTHj0Gn!&7lZKCqw`gFa! zW8_hJ7rU}ehR+h{{uuz3LXF%vCl53|Tk8Ch|5o-wnN{AU4EU&lz0q2%1nD~{@6>Y* zmTI#;1z~|uGS7_joW9W9{%GxJ!}p+Fn;=gRz&!xr83*t~uxgs;tp!Cvhb9`MnGfsN zHcN#!KdeN`PqDt~e{wp^Kj3~jcsC=#ZS-}e!>MQeOCyG#55Vd%->0bn&8xk_wv-_(EPRV~nKFd^db z!>)mAmK>>k!UCe}5q8W&V=cSY3D4$Ej`uPd2!6BVjBe*J4ex-}X}uN_Qj4^6v>6ms zQ93a-yIZsFo#vF%5QP&f+MYy2VoTzA1l%*->zjxw&K5z!py0UR9>D*{Ajo~<&N+8r zfP-~I?qx*p=>eJWGCuyUwF2(bN5YX2fguc0DVBF%DLlSIWlZ^6q<);3|KC50O^7Ev zYMNj3vJ8p_Yx|U4<1aOOuBUv@l29}W4OhH4v~z`n496q&R0kzpe#z{2K5cnauNsj) z|8t8s1&4w@NY|=gO_TDu34|uzKxm@x-a`H({YvN$#n~BUy012;ym>r7m(L+}td?MT ze4a(9LbZF4D=&E(aJ34!;bH4Q~V z{Bu@@x)L4yc!B&Qz@2PiDX{ufL0Co5bQdnfsrk>}D0mNNfo&cdup2>8O}ZL-5J#){ z_(F0Y8ll7UQJ>}vsFMnk3j$kZFp5k25a@?!oDYJA2q#C%gAX_T`Hq%s=$$hUCXZrK zrLe8RZRH@+QzFXdM6qFm*(5o`uk&${9m{=9i@ZWbjmXim2g;^R`6XwEmV8YUN|$*e z4QF;LcvrN<9@f;<7ds~oQ;a|5Q<8+jqeH=8wQhkWn@lI(_GZGGPA0ku?vcbZ#kgSU1aJ_XY%lRw3V*}SU&pss629by{>3oqH z?iU0ZtZpJIP(Oa7yltL)ZlmR0ue@>#hJGTM^z#iieSUaaGJUKI z9h_fOfwI4k?h{q5e-Ay+mM}lU#SxI}R+P}4x@8oIX9j^fyZ;52$y|g+ug&~!P;XoI zi?A9h!0wg8&uJdcOMLMI!Gutu2n@b#iSe62BRC%8Ie|_z))w)RtI| zk5f&a)t}NopgZq+xZ7^IjD^G&Y)Tw1D!ntQI*5|rQwxjJ{5x$U?JiWHp4pi1RB+l? z(5dX|S>l5t{zIM%^zh@nCzbOKN#*nDef3ry3-zJfCNS_@k89lP6EGJ1^xnTz!xjjK;64HDSbB%Pd5hkpkM8W z=;6`R=Bw8KI9}Daa@L^HtB$uh_XbL5PW1QtzMTjfJX=aSUUVKbmHadQ^5)@T>%l;` z@TC8-xZY7uc;i1Q%3PrZ6eRcPVl+d0n%Bvydy&cM3<}SkdRsvGfAhru_bF{K*X;My z@x0mjD{Nv_Y|EI+zT)U#TU{J#Y7$%RSrI;SEdf-Y&c4R~-CD4KfUwV>R`_Fm|dQx zW;PZSg+$I>emX5En!CyJ;4V7r>xBSQA3So(oFVL+V*d4p*)i^>lBj)-e$iQ}PYwgs z!`Am8t%oG&XLKL2)@qM}KxJ1{S`^#EAdrIw5`f%;SZ)Dxr;^7-Pv56!mw4uyj-W%u zF{(ko&o=wj&hVmwm6W#X(bxt%w~e;9R0-Z5#<=9z)f;hKs#_NVz-dYN0GCJp%_-Xm(Fp>#6gI0MsZhDc2*9m1pBg`dGmUSLn~kuj87`Fg3>GwaWgC z_ak1nfu`o~^Z721PPT3lhM=XfU=^ft(OPjI>Q_!mKKu^#fUY!N<3#5QuOEu7C&!+0 zx?-5?fc-yn4=;~PAPUv0{dPb_=!zRKSfhrV>*aTaP1Pe37=#4QSyER(Yeb$wj835X z6V+T*5e@z#$hRe-$Kw&j62*L|tI#Xuh5tmZe-042awmB!k6Y2atb-@>BrzWsict~6 z+G9NOiYgHKkOk-dWIFSjo@x^(VC4kO){1$azT%1XbbX}-PA$ZY4RyP-?I#V-5WY~fXGzq? z##a&_E&+=cLn>Nbr$xsyw%2h-^CzQ7Bb$YoQ&C+CWmAY@{cJlD0)U2E;lM}wowLg@ zOutU`?F&4g8lISa|EcTY->s_Z>guZPKFPglk9}f+06$>mgH`ZfXgG`&`%ce}YZWhj z*zaIyOb|8~aCd-#W%_Ip7usCP;oaU}uIqE;T}rI!0h&Q9XHT`a6C8T_b`alLWBF61 z0nQQt8EuQ-V!A=`JZHEyXe8dw$lqMvw6(O^^V)!@i~MI~w&{URG6RX!ZpA>^Jn-wzLE_dm+1{$vwLgnwLzLLHBSUOOCu#GEDLTLTLy9vFR0xgNY3?7$ zRP5X|Z8y4u-2I@F@@TzWxw?`zXua{&nfR%79s;@^?2It1mNe7TM%--&0U#Ws^p;YjR`h}`72nrO{J zk)U5~ZaBc-}gc> z!#=}5QX2^OoP2GG)_Lx<9Q~^uOf!b?bW=Am?8!>gavFQoBkVKHW&8Q>`S^%d$-7P8 zHEi^Qju(OsV-qC)-WH+b0j(g22KqLfe=6UkH(wfltJ^ikW{a2Py-uN&XNzQcJ=gv; z@<3bu#pJvKsg4agT0`4R%KCDNM@j|o{c849>ga9EVFis@SFsoACAZam=ffX%nq12L z8j&*n`N_)Do{z~UpEUE=0*k#ReA#)T>v+=iM3GZ={@;}zG><=tC?YpNVm=bn1_u=c z90||exC2@lgeR8<)T7^xMjtkkhZZ5{7hdW-NtYDeQ5 ztX@H6yGCXvBk5y&c|YL#;h)C5ST7;d%K6aq)n^O5cV<2OJ)aJH8PUaKB2^VAZsKG! z?7UY~yvkN0R{0BVO+xW?Qoszzh1QX`CcELeHGn5B*A!Oe7?-QGdrvkb^`&sYHs7uu z`p=kod5FVVTlPHCzw-9u&{KcKc*3~fQ^`W-X1wOoTeeXGsDA&Y$HWDWlfSzPCnvw? zkALNzG^mb&SsmClGx7w99b=yC&tsm-)%HZ0WNlF=5)_P$vV?ItF zR$v);4a^ogP>a>j5Ac(gGA&>ZX3yJrsU4l+%V7K)ewnUMM%9V29a?9wOv$l{;CtbF zMVsgSt)_~np@FLtR!NfdyvQZ1#)S>h-hFO%SV1gC_*UH@9PWOFZ59`?IIO@XmpN29 z#P-@W*CvmqYlW0YuGjh5|GM?znjv~2UZ;yu)#qn@!*k)xJu}$GyF!2BP0X{S^}TRL z&sJuV$B~8)uNtI)TkVo1R}Sq6no+hpXHLhjg*W5bvs*OJbqbvB#jEU?Q?y6fLCCb? zFqRglpE}lsVtb;Ew^xiDvo6za?&U1H>_@zyAlG8_Y{9dGaBOa}UdQ@DmJ>*Stj=U@ zKgDllF$8Dl*O%MJqr#)E0YP2ce9^6Mvl9~{{5tWlPEt{-=QY0CwoE+s#rm+1#%FF- z{LCI%%s@fof?jWKtW*l%I3c8ViqupP5=Vi*-qPGcN~Dj$8%%yPn6xr-TuS|0@kG~+ z6c%>8dL}n)x)_;dK)`C(Z~pCAO|njHB%$pch{ER3D>$kFO$`yJGQ8GAxFX|xqEryOpmN7dT?gtH@p2;J6B_Ld{R-ps&VUG&^KpT8djmGw{T+xPgG z*r?P=VD5`Wd(%JdxIwtu*|3_zVS0OY+_BQOtdSv%rgbbJ>sF|X9IKT7vl+J@exlm( zqS^!97J!thKd0f{k^7gSbUw`7LXWxmLN2P89?8l^R)p)V8RAu=*&X)hI*+t%<@IiK znN!wNEGP@#U2Zdsy4K&I5~R}^l>zL)Tk)d-WNCMY#9jQopuimmv>FPd!YujP#aoZ<)9QM_Bg(p6(lD6QAr_)s5Md) zi@(ZWGvKDnoKHKFH2HR=ST+04!E1JjQZ?esy>_|lG_r%khO9kU-hM|c8XS9g{4r6- zs6I?S=@8NP!}7<}`!9A3U%7I9f_>jWG;J#@c#<^vK74DZA9^;gTYD?R#CKr*p6Q1P z@+-IPiqVki`mEqr}ID# z9W)y8u{iF4Rp3dEjp>Yg=SIMQ^^bH{`j12dSZx_Hb3hj$M;@`0y{a6RDa2K%53f(+ z%Qe+fueUVJ>lWxkah1lC>TJ6$_Qo|s&TUY^puKMlST%IL=iO@qi8_5bsb_}FrXD&w zSu#;Zl;JMjE^G+aaSB6Nsh3>ZsD}Hji;cC|fyTEcB;mTo?4GSvk=Dq_&8A`e!%*sv znj%>-*WAcSyv&~gr({|0TjDgSxFm$a(mcJ$nZO_dDd)ODEywcYm8z_AN9xd z>yn?=ayLit^9uBt#mwq~0si&F^>$G9*oajlTC_r)LLJtYbbS*KZWeDV&)#(n^sGAXgMtdASl}BXo{blJtaoz!w?FEK)go-!R9Vc3aLsH?y&MyPSHFqWu0*zJ0QaT@SHVA{UzX2njKS!{U5sh{x zDMO#o1#^`H0R!vfbe|D#{9t)bpz)Ae6B(54YSi@_Y(oGK1Zke6jK~J?KLy!l|^s zEJoX>y_b&ZEA>5Q4Zx);xI z=JZjgJ!3Xglq#P5%~%$2`s`e8!tPXjzw8>@Mv&a}A^vaU7i2iUZ(rZ}khz!MZ!fJ854Y+|S(QKL^r(TD){_ z7Cr`>%Dj$FQ)YQ8UTS$0OtfQcDsG-z`4nHQ^PVeHmuR1mDfLD(zFC%VcTlrQ_gyLj z(LiIW&=BrsQj9nlwlFiB(eE_FOQ^ zc<>}dcKlu#Jx7NBr<PG7X*N79DWtqM0HdWGh z`|Cj(KTUlF`w&SK85c+(%Uk-3LAVSuy(PRNheVUiJ)DPYpB^VpOF<|LAAafVfN!Sf zV|%7FwfFh8QV;VSHVR>v;EvOO#UIiyJb|?&K23T&YAPXMV8OoKh~0p?5roWX z!IATB)2RA(9m>ZyF9OGE=LegY+{!UxOsm3Od$N#_`Is^ABG!zf2ONb?Ix)v|=u*{Uo`XG!mdXm9qy!72` z?vG40&gdy9Rbpci(6Irl7T1!}tl z)v*2a4WASHwegrC)2hNhq7u8&@I8xE+|UK3f;fdhhg=ET_}up^vhXDO3U2-p^n&K> zJ=y}_1Y;k4BpRo@LvSX*=EOGr>YfM+_cUwE>7;tGuWlqIn>0x?^zDVwRQapAjiD}D zt6%Vw1$$x9sLO!WxRfr13CVW`XN&2sU<%3EaeD?#e%w6zDqAb9Vzw(7q}UP}hrObQ zeOCBQcLgLs*ZmOR8S!#WW+iR0xa@PU~*!aqO)ZX zSIIcwqr;BUuV(xB=3YpTQkSx$q|T)}ZU_%+e5Ku^++u%(x<6NFhflSfh;wO-Ud1AQ z-V-9qFpJN6wjCZKfqGkHJ)`WnnKXFxyF%|+>kYvU{F9C0Yeu2rh!gB5t`I=BP|oPt zyGz%7vysKB7O(=BL;w+YE8z3|w6FLrA_wt_#d)R}iM}JCW%Tv1$nXh@p3bH!WnzD6 zVPA3;8lfR_6l1$>zOMcmNixN$jZ{Z|g*x-8jcw&D7Dm)MwaK+QYE*(>=OJRTh5UYH z@=%z^)T<%CQMbfTXRWCPdE4Q14eb^Bqs_xRfd)vgulaz&-dNqpi~>lROGv4bkbE_; zdD>K-s(w+Wb!`;{r>)gg6YO1{Y#;`O+b*|a-qvf@L5D9UQp=E*n;FFy;>QRLgE|I! zG)C#$4PFJbLDq2z zsQ^UglWN-hqO)dTO`acv%B(NV7iEMXQp=f-DeyIBsM!3JSKlqN%hh-$}_$iNNU#WF; z-O(g!1S+F5^Mm(Ao?Tl<b8}W@OLd?nB(<#j0By2UT;)91az^niD02Qk z7}nkv51ju0K+=GvKNa);j(@nL$4u*TPNZRI{ZfkkAS%g3tkNH}8o?ZIuoO`a666T* z>q#CeOri|D6H0B%U!($wgh6zhR!du3+*=r>X*r{=8Te1?M}o}AU#zQW0{?_?U;@|& zJ*qVT4)Z5`Ba1;cXtLsCz{N8kqGq-=f7oS$1R;PaFq8N!@iIs$>z>4AncARov+Gwl6;)U%*i@{4h*)Eq^}2n%tMQ{{w=He zQ^-w599XW`C&x#`L?b5yu#Y+1f7NJiC9MWgc1r$Eo!Eru3XFT6b~S4Tbik&{kZ`Jg z)t_|ey30n+{d=GHb53JWMardsO5g4<`03RLklFMvp@uuNfQM9|7O2OfcFFvF``*~4HJX4i6{VyLGcP{NrdYFL2c~wq72o%f;go5|*ul!DC0`_Kz*v1XR@9!R` zfW3hnM3vna?Y#f#pAG<-fp~0719#95X{V0%=A<>Q93-0-QrlKg=ELx1XW`^; zDItIAWcOw6^vNp4ChtWlUnW3jObuq9P%;JhHc#^h2AxlKodx)S`&_^^90>P&@Jnba z!?S>Y>5y$y^m&^>CkI3z|Eq*Atm2&138jCoMy$fD*SB)vrs4Kp<}LD{UK@!@()8nu z^6}6RW;SUDc7<4WlrA9F^OtCU%l!QMxPoORAwM!?+^*31DCw*%N{vi4q5R*C#HBN# zE?J6{gb_6WPE6&P+KJ_9E~F$LZV`^%@uDR%`&!aFT6ExtlXrpXwY>&%Fa)n+n|}S) zeWyr7TWroYC;UTrWo{>5{ikC1dqvZ_(zOz!8iJPpL+1W)5XehYM~2 zw3k!!u!>-o)J%i^nepE63<*dZ0!u1U#TSlspESozh{c%gt!pvmQv^(h?$0`*Xbx;$4rlW@0=FVgIG z9sS&{{D}e1WiSLs> zIqY*=o2reSJhdsop8*4Qt>o4|N+7@%wUG_`GcO{2LYD3?&inVydy6--2?Rra35nfXsk1jvRM9veP0IDpPX70L z2PypvHZP$GOmP!05d!$l66b(b`6Xw?G$5zPQsCb*>T`0xe|+cZfQk^~jTy$H!=8(?SUe4gW>CyH~lT;Jc_td(&c|`sWi0a%1t@TEE+8a zR;T&}oQpD?4&6zB;oe?MP{W2|0&@MqC;vK^8Dw3pk%1&kRt5BOpVY>J;2w`V^= z8kTdq3DH2F@UAo4m=COA)x6o~@9(f7fV51&w(PG=`hQQw$16jW#68y(lS~7B@bIT| z{_YFHtMAS`9Q5`e^-M%5+o3DD{eRsIkb8r_j{Z@R132jkO9D{jX)@{+r zBDF#53}5^Fg`+lUV5R~II@w8ei(QVsJKxW~;rc_x@mFR)vh{D|_OB3nCj6i)0Ey~e zDZhgi@Qq0e*qyi`hrI%DCA;~lPAUE(*N|_;##F2yfoZO=Ci{_!nrL#2e9_T^3D;^v zn3M1o8seHJDe4(x&s|?~V$Q7oDl+4G|ER*IKcib&VXjQfscEY-ocbknc59(aygPf9 zQS~*BEVE6eB*fewXC-k#*?l{`L5Ehg0S@{WS;=j$tPx>i|Z=RZ36No5qQ z)&)4O)#-I`PFP9)bZz`g6sJxaHFoO2*9o^}t9b-f)1gYsr}AJTQ;Q0=9e?^vH;CE3 z-90!G-BHbaaZEY6`0uoa?zsN>nq;N(0T#)Hf8_GEi(oJ9Q*ke$+LvxfIv|{SlSt^; zK`l|S(ug7WjUJt?1`L@5ftA|BAq^76mpqzEsFif3QLCgFA{yhN>dIp>61u<-vk{%I z*AIk*#7Ek|{GCi)+hn&IjzrU&4i^G$F4(S`tTd1%3&lPj80OZE2y%@58H!t{r}4RQPXt9LTj zi{CnKXO6`bh8mT?>|5Xv zRE;Qo#8=iL;s2EjK#y_>_!)4o=N;ek6$U+?_g>SkU5mF)66HFu?)!?*)r~2Y-`L*x zQ7z|sWA1+^c>);)-EcU0I}foe#>2h!*(l;0ZRk(e?psCiMq?9r>>?A|#n$lkmQh#Z z(nFQZY-oSQOGN*h@*Q{Wy`)WpMl!K=5Sf}jxZ|$Xuh1p%RA(e4a|i(7uT+x=WZKd> zNF-~zUJI8WpJgp|QZp&{a0*WT^(ABq(yePp5-V;n@kt1s8a4JyU-rH|_Kg8!A8)!- zxUCZ#(c`0Q+@LD7>@@J4&gy6Uk>6C`6g?(B-F81}JGzKmN6bVJ{#NRkz ze=wSkyE7Z2L+M_fcKk^yOkXjuF!0|T?f6}l?kugROTnI)hNouJ{;n;A2-_v`o5Yzk( zxoc$Yo%zA?zk@ZbT(~})jfjk6*0Q9$SmS11G zpJa%KfahoFf`gywP1-ICnrZvq&u@9T9F-gxQ7Jaep)uOF#fSP*V0j%^eNHzPNj3Mq z&Ik2qEA@ToRN`&v#s)z2jP~7z)oT0A29Xy#D4`S@4y_JsyeDuoO}aT~dyXk9fAyek)3v+s+0GnQYM++s5Iit; za=*}>HdmtVaK5pIr$q!B+w%=y>cIe+9a7n97kyv8!P>VzNYueUq$jL0JZLEDazX85 zpnfnJPQE|Oxv}|S?7nYY+%8{4#^NqAMY41Imi_1{jt#OQg04R`AYdhfRV6XtVmkTg*iEc8yq+%x$G z%eNG61NV3dv*Z<$4UE}f_~xkltA1VSsk^?3hG(`9aI_Z4PzZ0!KAZTS4!L@&msV96cOJVML{beEH+0=DgRE7M8+i)(lB)kk4r=%czVgVF(^ED2Eh#wio|$Q& zGHXNB=4s=zVC&G%5SfAbvBctM5`qN(#mJoD?)4KLrpE=gTpcHb?pS^gpA_HBaXAsg zc5P=B_G^L6JE&I^>ErIStEBk+jWYQ7y>@GDqyYGfV`*$vK&juSubYNO{;8Nw$I?je zIClE1&i&6^E%C2-5Un$B(dVx&p&-(#(tVd-eQB^S%{eq?ZrGmDrKUAMv(!}`;+Ar` zA4XnumNb)i%J21}%m|^U9O*8Z!d@umyrO+WOQ^Y6}9 zs#mwkWE!O*2EP-|3D`N;NtNSy=HHfx>?JTW6@m5Of9DTPQ3M?}$-O@ECuJ%-xOT^H zie)?xB!5uesqsZ8W&T>1bJFk|jg^$lXFErt|1bGFH_6~$0S1g$ai&vGsXH7An`#{$l*WuUb z@A{>`{lAL)uBfKEw%drG4N*iXA_5{J5C|Y39aIp|AV^E72_PUM1f+!C6p$t$m{6oj z2_+DulNgF9AVGRlsx$+H9+0a1JHFp{{xi-v7yrc>#=6vRiDYf$R zu<@U09Y@daaaX$poG%R&cEry`IbFCX$7`g3pluz&#C2D|L47B z+ET?rMEUeO)6t2~-vuWOLk8TQnW}E898uMs>$}k%Om`K_;S-2i(TLL+_SrPG8C&qY z*io7g$m=bv*QS#@iQetg7<@zb*iiAE0u?yaN_Frl^CejkC?Sj zgs&I?n0bPy3;Oe_xGU9$hlr>0lk+i302=&@orQGWMft|-8jIfA;U0zgu(Ca>gGns{^FNzt2Yn0|5a>eex?4YSoP&6-?NO^zJge1UW5G<)+aP2Hg}K`OlE{&oUj%fgY(`(Y)CWG~%jSmWAoa zPwPS-)@IGpu;L0gvsuT5@A!?)hMd5)W-j>1qs%Zz%G#2)5(GBwXKuLGa=64@YTc-nXSGQxv zs->u9jeXBuu@EKq{QWA&#&WZ1)Q9BcF-`Qc%Kmj1X>_QQ(s1pI@>8L{8ttF-I}Eo; zn2&Xxug7b2LXTX!_WIEvTCxH5I+-XxYjuq!M3N6kvwJ>$;)m(>iJ4g- z)G{U4W=e&`3$i@+erZi6jHZ8s4KFIdu$a*$vX|^W?wXjXPQqrdB zpoei?V!XBX*o;28@`evJf@Nx#KVek3$KX&je{HEFn9E<8D3R;$jBHD4)b$VDy(7RP z#eX&_oWB9as(TC6UnMw`Y}Y=RSA3Mc$gc;taQcpmc+kDtC@Y(-D*#yqH!T>gF|s*r zy(G2Zw|WZG2r5=$cHBF^xv{)*5kt8mu|9!5a_-`B7<39O9{N7O)0H++U2z$(5-FfY zn5+yCeX`nMh%J@g!(t9=BU4^DJo6wOqU3dAfZozA%3J#aSuq4<+Xg*9alo$S?wfDg zDM|ORaP!e`N-D7AM63qT{8amAI0e1@(U*5aEMP&N54s;=pVO~>=ZHth(w`q2)L_Xa z8NS{1Aj-xM{+nL1@@zCtN27-|k6Wzjh`4m*RvBM+3FV7y-@dxlbo-Q;-a46LdT7rp zeg-7=s>{qPkmeUo_aB~9&{3v*8W6QaqbH3euGeU{%&3KoI(wGGc;%|)=Og+>+6ofz zeae%&UGE}~^1QM_!f~5DUDV%s3pzbRFA~%4FM$@q-$j%w>m=-CSJP6a0ePyn+pJ_R zX=f{BNYOjRQ_TyEiDQ?lx7@5S^h3!{|GF71*)Tuj);`4{fW_G*vOu-7$f4QNJ-*@P zOrk_nuVB+c!~!D%FWku zTi|vOduQiFn-WMBkJ-Qlm>R6fbk3VrangRjBP){o24(t~!%VW!+@C#g;9E)(z9i3P z4y|3ci{Zn;ZP?~YGCO=Xiq4eLR)>P}OPiVvyJ7FQtA4ZR=;*`$GB<0V6i6(G>WSH` zlbi8N*q0j!Fc09#qVJ|4DJl}`_|nUm<1y!3O3UY8g;iLG_UWL=4z1tO;25DzRv;ap zBm3+tK2N{hq1fwkY|6L2qT2a?2K8tq%cwq4rKI3k=M3BOC4#(*58R<<1Ub)aB?{2;Jago#@J}t zUH-InZG0+3QjIWqDU5>98a-#88Ofw!?E{b3ZX)2#}v)xp=ufP4YO&YEzV4V#_mo&JY z(|4&|4yp49MM30)>tLUn zF0)#1ojs*y&zS9TVpH5~x!vN*SxHs5+$ z8*~tNbl~S5Wu1e}wCs4RF@!S5%2>WsgwP{jyb|;EBwN_T#_nAy%b<0x;PPr`IP-pr z%r_x~=^3x1o9Y+cZtHH>sr+j?VBx^b;87BXb$y1mWuZoQcHNKIKgsY{#-^)^Cff(Y zG7l&kuPQfL=yJz?&GvY};g@b5Elv5>A(-hziKiG#evjgVghDujQRH_^Xe2D zlWtDmx$U3z8FC4VmdCTO)!ytb^G@|OxRmU0|D#dhx0XTaf`x25EX%Lyb>rAXm98{G z<^I!te=Pll<}z?PID1 zp8P(VdT#MfA=fLbkxc!vy6FxL$^EhL&w>l^It+n8|6`Y#VwJ<*NH7V=3@wa{3_P4s z)7e`kMrCe0Tx-J`+*k9Oa= zeBrN}=8;&%FNQJ@_ukd#6Hi|#tJ=2@4`A~dUbNC$35aS4Z01f~A0-JSrSdo6`rT&$ zpwC*LNg`o}L&3D#AiQ^K@y@4P2O2+Fn+x^*w?UUdELoc1FhJu3YWkt?ur(aCJe+hj zsqYSVSh@A^N8`#7VbH774EqehM+ot-qDMl#4ZSrSBMmvrFE;@Q5Dz*%#oS|gP1l*X z`6@f$Z)9KLe{ItH`m}D-5zxy>OjRE;H1N4JKoW$gn?`ZA^t`x;f{R$lx-X=l#g0H) z4QlV+0yVuZH&mb<2ZE!RQw;Yd5PLH;?hH=8loW`>yEgP6@6ZlVI9cD#(- z>{pp#>ZV#NIfhKtRrT8s#RN>c>P+Ict=Y^eiYwuE`F%EIJ3M$@6920f_=HWA^z)&#u}SS8K;MxBj+bFB><2eAt$B4?<5=-gcI za&|4?l4}n{=z+&EEN;4YJra@tmqY!Q?S0{x)0~3a0M?Kd5BSq%BuzH&T8&#Z4EYGq zCRW{9$z&vD0fZ|ER2dpBr2&VC2KOE_q!_nDMeJ{!hdfde&exAlv=k|Qeg8D=%|0Rakti(NE7YZkQ{Z^4L zRgr?NdDe4tPlPP~gyhv5Gl1c2?!D3O%58tYD)H@${IXM`VTQ-+=k=J|E@$=YryHI` zabq9!GW~_zLHJ`p?Vvg;p2`uMv$}JpxfqQ^!zbk=SwL zSaumAW@JND2tvWr@}*jjxk3w_Ju@0mzl}24lezK}`h<1zyTm5Jw*cfr)cYU4B4n_9 z=1YR0@ZP!LU*PI{Vm8l!>t7Up|%8C;^}z5CVz zVR~QoL^^=80#E{K+WQ2~?YTq@q#!VmtBgi(W|lErfVLhnuQ|69(>pqLpiz%8@+ z`8!{~z@@_)17ZbIk>w7rz7s9@D?lL*?#q2aKPY zydSRuC`j>#J0@K^jpf@!%=k%b21gOH6^athPS{^<%u;^=p9NHoo!xw`K%xS`P^$yL z$Cq)#w6fK2<+dBW6aJ1*!}|~MWet8CrH6Z8ZWm` zd~#GiG38@x8qAKYXt5>1+dS*LXeobmj^_)o*9IxS>T?o2?aU`+-;@1UQ1^-zIQ@v( z4kP_hN^aAi?YdP(LzMV>iS_>5xDLri6@*(0$D2du3lKB|Sid|BVBf03ooC3v;jv#= zeq7dVy()(*$_5)Z4Zp0{v2b6Gw|@(mc63M$(KsS5rbb{?onnN@)i>04BPwlZDXO&x3N#$1|9~`WEz`U8+2? zUz1x_Bpj$IXaOCYJ#=iq3)xcH%`oOm-z&+~X z8RLpkQEo$w-5@2TIak}NZ|EMs zfuB47R*p1Vy9il7j$MI2w9}sNKTp(IZb{>t%-b~Kxvw67K<+@g!GJ|7z|58TkXh}e zn$^P7j_xzYa|!>FM&0!<;YM(k51vdVFB-5P!}1w?pS7)xL8@YcW)J=NT*bmNKM4Nu zD(227bs0v70G!rT`e%;YN8qs~J~8^oI~l@BkuYE;;Uqd#8A{W~fRr!f%rr^9Uh4PW zLrE#Hh-nkBQ9<`JVJ>9>bfql+Tfy_qBK91Xzuf|m&>$Wt zKUCoFjBR=x3jFTl*WCXU1HA^~=@S1>u>v69zIX(IQUAM<} z|1MtqKd!{aVi!DwBOu|(-QYg5NH?)P!Q@x)vSzxzn9x;+kcmM z!{bsX5V-S+UvC@WKeH(g8HHk>-i--sIJ)BPu&Cb@v9k04euZb&qEps#|Lc)r_!ve< zrl(gL5C24^ERy$(2A^+MYuu(}&XM;P@%hdHaXXWxq!Y`N*fo5b_DBrFS5s%d7JM+hE)QUODr{K z6vGp$n?#o8lC6-U4x+rd9?@3R&C;Fz0o9(}FWvWpBHG8@bw}6synN>^Hd>xB8zmap zJJCYp@G9vz%GIAnRLmi%3LQ%;w2Q4!*()@2;5AFNxY#Z~c9y20@bNl~9fq1Ga)8Wu3JV?||mBxUwwM``p*6nJl0?cvHdw3oFM_iYEG9rnwp`?alKG@+L+h7?NJ3EQLMx2D(2Hq*{ zFI5UpxsVoc?T3ccdv4=yZM<*ZuaM`>`AvLcmp;&QJub~9E93j2{b%1%9ot*LT^ITk ziP1#CvcqVrw&K|msP+<|VRSF;DsuKjG3V~P>ly`+x_D*US7&rx>U@2?WrbWbad9-# z#j&k1gw^!!TV5Nh)QWle9Rm;k|O*EBE zgt=iUl&RkV&y?U`4!yQ(54pTe^7H*R>p4|<0{DyhJiDZ|k3HO7_jrI(Km3hSTt99q zU~c?43CL|I;Rj5KWK`)6yCS7(iqC#DMHTEJg+11Oe7pb%3Nq6BwTD}r;(3+5rU8Ae zT6yr{p9_Dv&y=!Q{+0{9u)1yb+*YiDa0g@f>Q1WH|Z?%~AA5 z^pJn`lOaO+kDT;RdjzSGUO~W*UJOp&&n}WEwsQiDh?8hfcyhUi~;`!dtE z1~)BDQu>?lh>CJ?%J&U%9C?>uk%;)tu0;tS!!Eg)RDXFnJ#f=2*ia#md@-z zp)?1OOjQywQl{5G#I)KH)6omxgp4u>eU`PCt?(+Mv4jlixzQB|39EMQ8Qp$Gl&-Y7 zn+P^-oFB$V@kan2TpqRUh8KgqMQiUN(nRv}XV&-Tar3q)`}aBG-?!H5e@MSg2HLYi zCVnU^!c%cRFqfoHTdF$#P>yYHJ;ZqH&hJTybeB*VD*J4K}W6fV8yfKYN& zn$DD*eJAA$j8ZDp*C4*mfll%Rq|fDy{|H#LS=j3fp0moh9lp)P9XA}KUzbaG29pN! z@71Z7w4HLQ6BIzqo8_YIgjbKJO#> zEe?tofuYV7XYgHw3@Jd~)!r2`Gg5tqb5iNCR!JU?p?uy;3P4_Lla}v1wb`s4CyA>+ z*>TPIQ|l(ksa0BTZP`C`OaOIW&1=ZlcF#W7zw@+clXD@xuq#K+k5CvYzTIUuCS((+ z?|`I4u4KHEU~m4d`XDdN?~aH9w;T?LYC@_%jUMqi6?EqDI~EtYiJ;qCUyBoZII6Q6 z#xmZi78t;RD8>GpY>?V40dBs+FURBizC@$mBbb#nlM4?xJTx^$sr}l0*$dC zV3y+fxxCgMS6m{-ry-NCdk&)>(};Ked~QF0@le6B7p)uRC$+qC*KV1vN$fcfG%4jHAXZxbOeY5kJwuIiSZa5smP(in)7;m zSB3W{#mIleERE02P$JyyKlN?&k<{XTLD&0lWL0i`#q%qjY2h(}%bG_4eg}iaap+xX zSPaPLP_8Wcr{~P#%d<|qy zyY2E|KB!tY-(cn9NlkZjVJMk7KbMt!YrGhKKPmZcmY5CrmWKYn$l)D5DVh@X4x?vP zHW69ZCv5$?N9iZB&j9KPg)W(F`nz>Bz;lg8EcKLH~Mx`ne?SqF(BAihA(r*x z*{20dj@9NvX57h3X#?ett@DCk>f;8)z8?MSEb$^Y;co1K?~G-C6P7HS`~c4>Y2?$$1IZeNB7f>t>IUUlq8;z< zVjk9t4o79F?mlw9!3u5bj!2Ag?ytP+(!;-6evoSHcUH4_#rq=LNJ| z9*z9`-Prk$J&B$h(Xs`AAgT~rB)vnyd|O4*_C|%LDj1QRHEY;_;NL5?6~-+rO*S50 z+vSa*+#miqYrjY`ve37TvpBR>j=bk(MWseA4juC9x$Scc62;T{qI~;;11&S7I~qBX zXVBx+E%uJi;bFk%64SYEp*CpyK=LPSfp{P&abePm)VfvV`RF2oc36IZxK23TVuDSg znNhL9?bJPw02kJBwb7r#$#`(=y^?+0GvC0Z5zDB)%BvIJ`Tk3HJ3YQEXRicB*sS+x zutJssV;RT0A!dsh`&0%yXWi-Qh^%1q1U2!Ltz=9nlAy`1lS{X)lkoate&klIg;L;Tna zJm;G}R||E^Rb7vwG)@Ag$Red5!4S6cjAR#j}| zL4Kj%*;LX#Z!0k67*P`PqR8qO?}e|Q^@z&P&{eu(66Wj%1@H_hQA2an5weE9+HyFAMc_?Oew`64mJdH+iNqU%{wRkFs+AwM>Stfwf7rz-@o4#}ew_K0Z z9`q1NF7s^s#4vmdF~~NcnOPM|iIYPTlnnMzVpeZ6JGM(@VHpOlPUlNyqx;()-^a5@ z7^FN&U4p`PNScL;~hrM8SAt#`)Yh=jvsTtReE~Q5qb1{*ktTkVKd-B1hb@8QTmHEY0K4u*G(yNJC zW~thz;{8u(lhnkZ(#EP0k4B27gSMN!-|sSj$R_itV;5%Cg`5(VRFL1ad2J-`+AY1f zZc^UozTa!kjyTUzJ6_=*47>WfThhHT_7gCf`sTMK?sb_g5&!X? z{_<~>rmI?n3k@G7JU*Qk$}T8+(oe5*2H54u+c?WJ_~YW7;TZ9HBj9-0n!(f~2nY{! zAFA!nsz-0if|)^A>0garGZmhV-2Q1XsMQ5Ryf*xyDPnEuv-0D*XsF{`Neh0HgkRvF zwoFY+KctyK^-aZgYlpSok|MGHGGM>$|En=?Nq9763d+Z>8GJrB{c?2PRyyL%j)h`D`IQh(pJReB`1 zZ>o1E1)PU)+4oGZByxww>BEomUBVkvPnZajT`IuR>;CPQJd9lDg!O ze2M;BLF&^s-sDLqa6RsnCX!J`8nj34rzM4jKBC(;)sZC^_>9S`pDAU zcWpmXXmfkj!L}*_&aTc$%3alE#hGH0M)j{LqjT=Ndwlfn#-z7De+S6=WD4K1Mdl5l z7e&_RylNYe#C)rqml|- z8m=AQJ>^m+;@x48N>{ZX1Az`yo}bf$SK7lG$kncnPVKtQhFhk*5cH^6o+=n0SYy2Z zLHs5YNFo0ANnw08_O^*obNrVXygW+WQlk1m*47NFl=-VhUJlP!2++2LBHpN)wO(ll z5UA^&7n5ERcfC?dJ|&XhKnIKu@L8tOq>{nY_1?}H+RtYpN==W6%ZST5FWPR)Ck0b~ zUzDS(pl|D{4t)gJld^&oKDB%5=IWy((tY(e_VgdHf>x>WF$)mDHw^RydIeCAJfZNZ z?_5ztdv;6!{%oqLfEnR`O8zPTpS&-2Z~6VEB?G7Go_KBmd;LC_T$26n390<_ V_oMWV`;0L4zNX$?g1YsK{{qVPsw4ma literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..85a91de789201124a2fe38b75efb5a2c7d059407 GIT binary patch literal 19014 zcmdS>XH-*P)IN$Lf++k1L5k9%6e&^^5$UKj>D^F-D2UXElz^0gs7MEqDlO6>H0eE2 zdXe5F0YVQw^aMhZ6W{lL&bRaFez^B$jO@L}8e`9_`m8yh`Rqg*8){!=1BKg(kJHL2S!AUD{NeoYF51Hn zLngtS*Rpoe_$_5pCIvd=on3RgZU2D?wPDoHe;>`9wf+@8EPnXK@UL*=+U21CskjjO z|K$oEmp`j3S24#cM*|pq?Gg&tim&ontUQO768Cc4e2cj3Y6}R&tPlt&U=YC1|A#cL zGU`UWS;R>JV9)GGJLvJNYCc2#6bJ|sa=RcEIxw@*rgjpuglm8v!Nz$g_*82Q#|#{$ z)q1W%Nt?$%V)4?pxwnGZ%3t@B3Y;K~dK|6dnv~`Oh6SUcCNwmHQ^Fsm83LA&s!pqr z-*E;7XdT|J9hxa7$PrrtCw@e&l6=B(5ntKm}DDBZh)(>y%s+aeVT71?DDHE+Zjv9{kR>tQwffyT5Iv!} z(~lat-X8V^2aza>>ts}NVP~Bv1$Sb0QUNt(&5^qywMDYkT&q<|9*uF;uBz$g#STO} z)SG^RHE@X2KH_2BledD+$g^zmwiSFIcmapmZ+5E4Y}hu&=3st~mrh(di`8Djs%CGX zFO{y_E1k9(D<bGF!paDixO?lC`LC5)E%-e&w9!CN}8t`K4^4MFXiPkJ^z zIR09068p44kWwoK@M13-(Qs+SQg z@fH&^p(m_p)Bv@witn*aQ$0Awaj}m+mdmht2+}~+vD51tRdP*Q>zbi?l|DoiH zx$aSF2%Ihf`<)jdZG_)CgjbT@!#4Ga{RKdCqg)hms&tbV9>Mw|E489yhfDjNA>&8y z=M`u$cywbKB6i=(FAilS@kC(==dObK5p(|gwiaX=!wGiLm9y*-sy90xSuqKn7{}Gc zonZGq!w!!(RhvkY{Pm@U-W8?JlUC8bEM$h^7qtF za;tC;B8N6^r`WP9^1 z*Q~DDY0?;(>EsjDlsHYXWt0pvl#O3-19*Z&4oe@!s$yQq+dObNQY|kTI_MRDvdC+t zT^(d+(T+}9y{K)kYpT(6f|$FKtjXfgX#{3hdI1#~4k;J#HCKFlZkXL;?Moh2ZEgFE z3inW}hmTJ{j}(-k8rTvr5#DW@!UFQ0hk%O?eKO>SDfu7NQX(frPzKZE)47KCL9_n9 z=NpDp5c+7$OhD}u4mPWOL^`1%%rdCbh^Nef4LwRaAvVJtiR)WxLh|RxUeuatkcl;<`HcEU|!;?Sjoob|{;rciAhZU*k zo%in;N%js%SEyhovjWVpE0fQcgC`Zby<jIsk z;feHh4=Q$#zx||`S$JJUb8XVKe|?;a&I7*b6_^-e;LaiMfvctgx?w-sz=0QDm%!{JZ^sU?S*)*Fkd4s`?oFlHsof?Zqjt$sr< zU!c`Q%UcX5cSYH^M5dawv;3V>I<4R#&z5t9-|hJ7)$1Qrnq+aa$0`ut)6VV}f7Txq z(68o#$0FW;r}6w8z?+#`p}g?kDEpb8zd){)+~UI&<(-eYu+cYOXua#?A=7y9f_Zbj zMpd#=Z4Aric>V881h^>1g=E+AHU8V$G}eU0%x~zd#og{HkOI`24$mUID|R(TqI)O|jTxC4=~Xv$%Q)ok2lndJ~!I!%K7L9nQX2Z1jxoA6zkZcO>0 z0i4Vq_Uxsv#A!}XFhGavrp)?U*()cG~AMp?NlabCaPC~oU<+&hh&E9@r95dC*m45 zTj9F}aVEz<@4LXmP=(QrCfcGVa6_xg8#9M>O@<8(kqTx0+*9)AbLa~7b^hP`{@uK9 zr6&^GX`eyOAbh9$RKPnPy_8tkd77DL9F+ilaFwSlR~lX7kdB;|!j2U9297Ie6Qjc} zG@l_S7GN0>$rI1flbg$s{~OgfwHAs@WTh(<-Cn5V!WE5nS4vIapIfC~j^ZkTvt1oB ziklQ&@=K1MDeS;^JXHqGF|+}@`i5D`#V&rAc2COl9t3VE`&Uf%xT?>!?ZJOnjp@xi zi$c%9lIN5vWl-9E3Oj1P^NKhb9`~pA50Gol4f{3XN`C&`p8bHe({oN?$M*a!Tv@!_ zJDnjY@dvl%Qo~hr^{p4=2Y#c>T^4$Bnzm0{8 zvriLQ>K{PAkjsA*yhi88^3rle*r}91_`+JGGO2Jla*c*&p!2Eb-UXVM`=cFB*+muM zV^q(C496EUvC!P(XL``bN%ay#fln(kUX<3Rs!j=Bpt017Shz^@>qX8iUg|oK`shQA ze+Fzl!}40!+75Oy#FuGk9zW2prvDdK+_;v%{_jrn-(@=0fA?P>9#bFx|Bs5l?+AN~ z*JVZjr``8%ePsDpxOeN?zvz#K<|1wA|BqJKFUv|hju#rZV285)4zPKz^d>|~@$-Dt z0r$St8%dS?ZrkE3Nm8+W6UVQT&L6m46}kH%=v&Zr36Y*SK0OwdqY?9ptjqsz)0L*n zj5zEYQa;po|2M_A-t~(W<;U_o;-t{(f10O5XtdFh)&?`izg*>UmbejZW~5U0Q&<5Z zd#3gnIN_2Ve74c0CzsC^e1+ys-%Y1X6KA1Q;d55~j7WNf;#j#&1E*HTVMzx|(VUW8 zQF#Wdi*Y?=L7<5>vrZn=1p3I57609nK~G~-lOZmHsh~?kK!1B zBua~vaz@6bx@YhEQtV&r`}z#xf;E=)t+v7o{=k*Gn0>U3%jKj|p z>A2hZn~gbXl8wG;DZU@>2=k~mLV53|_#8K=2-^k>aqiwfYX8y^&H}sPq|Js`^4+%V z0}z`sSU8ptk#kChMvutrnwRT^b1HUy$R9*|une6tM;{t-N`9}D^t3Wit5IKdW-~zN z3v*$TR)4X@X33HpU6+>+M(UUmXALz&ilsMfWm$Mbl=%o5)E*MEFWZBamM7ZPvXG=B zM`V|trY&F4Oq}dD?Se_)kacx{^>N76o{%2DAZ;v3))NhGC}=<&mv3lF2bcs*mfB4c$xgp} z)X4isCk;rbZDk2uJ(eY+I;WI^-AQg&)i#ME1tP1iy;;@*;Sj{#qlOS-L+L!R(BrJ| z=%`4ojX1wlceccS^KLrgc3JJes&@JVr9UIMwXbWi|4w) zo_A;=>t@3_EJXiN@DfZMDd>5U5<-fJ{B-SL(iO)5P*(Wnzu(2hwKKm;96vf%tekG! zg@hr44l^*bL^4;HVkiG z1H;Nr+v{6^^WT7czqTz~w|UAUfV?=bByr{OT%d~apR;+Es|D{*b99!-{g}pb8CTF3 z(<{eWHo+#Nlh&v8*Ku`Y)_d62-{>QVrG@d^ z(S{lqEB%vkQOTmx#`u`Lgc~NjFss)J`iVodn5GE+in8U@kcHNxFI<@!*+e&(VZ(ge z^Ue~7N!9L1pWc^_jjorq>yJECV@mKVw^k$UWesr23V#TQ_=G$Mou8{}nbpvGs5B*R z$Yuqbg&Us+LMrwT{U5i_%b6d4AZ%h)B-r@2rD@+%3@>o41hrfaGFV>4dJl|x(E*FeUn5gBUU z9!{PfLI=sN`)FD7BJ&iS0zGW zE);(36qbu0dRNSbZvwGxE>BErMm-}_TH7GEqFKB8(o!YD5$h6rb2(G1w;69%#x!2p z(N>6t>KjHeYsMa(O(PN4-gIwpanoAlKR5Z}oObrA_qz+vjvi$i8>dC+xlaEh_}(-q z1X`u0a@w`S5!;73yw5%c(y*SgDw61u^`z%p zHE)N-?IUAnrLj-;-|vm9o@I-Qg>zK3-N3k!h)Z0^#&_9K6WlZN@ua`;9N-+^DNKMg zb5&{Vu~)dLdpybx%+o*_!krJ<+aR$H#Rhx|c5>%GES>ZMp0(~F&yhaZ(dCV}5K6h` z$l_E>d;v=cIrJg=WFtDaT%*NO1D2#4e9=XS5M-ywGEtved<>vO@~-MMDq4#@_!zpgF33YTwI{AbDB{-qG_ z_~#7Bto5a0c-u1R+wBz%!A&8@pI&br8wDq^s3P)Y)iEN=b=$d(Ldeb)Rh)*$nG+Am z$78;Re39>OOk;E0ChKl0K=^>@-tSvImMPOs^M6lE7&R>v!#=lWWm7D)t-qY)Kn*_b zW+}>H9MIa_kPiW%le|F5z-p+%0Xv}9J`kv4T*6lif`Y(#soRFQjR)u|{PHtk&~V-r zDheFFnJ=tqKOLol@IbQDEt_gUwPfETi&6GQXZr}%KH5=)hBQgiX3~i@-e=094TkDY6YScP6@~4!^;#hlM(NM6tOWycdOoE z6S=UZO&pa|d|o>Phe~tbg}xZbWd+}G0yX!zUaxCG3B>)-2H}n;iZ6d*!A! z!^-Q~K2e$6h$8N>OO;=aKi^Vnrw%L3El{aYmhD}@Fs(i@CYeRzCn-BT1Rj^5Wi%J} zb-lo0UFrU2s#Zr{T-*xw)iM`%O0@b$jc@LdTia?}9qWXQ)L(xYR}-$)5kz-Z#EP>S zw`Q@A(VS{C_Dp|=_3px7|Gqmye|#`%gx@R`5eh8cz`C0FB8Mikql@V$f}<7CE%~z- zx%$5Ohx>uPt^>R(R#gR@7icyA9DNn70&%uIYM3Se`YQ%fKhoL%{pgI1&y3a>TLC^t zkC44!HP1S4Js?L+@? zCyhp}9x?ZCPw#UGzyIp}WvIfQdFrRiWsN``L7NH`UVxRW8Xh%YB+&cLOUX@$UZ5SiuTIB3g_T^4E&iSNF6F*6D9+vD z;m;7dDBmt9>d6Ka_dx4Kod-_>CYp7L7wk7~@F-c;Mcb=Gx+NHVT?ysC>9dsyGx5LW8=HNKcWa(z=1h(iEj0O|vvb$RJK@UdMUo_d zoj#b?L}K7_gkaP`=o#W94=?=70hw~=kJsLM-I;Oxy>7A%wupi}Dv-8SVBrHH%aa@x z!+Mw#!+?ss34%MDS9Rp0w1sjcrnmPwMy7Nw%?^f2+ z!h16x%*p2TT3l9U-(_TUOnk%1T4Y}Py9pmvFAhM8>B>pP$!&m03y{hk8hwk58Rksa zMIG&@h6Ry9FwaJ_lNHj&>LO&uJ&0v9Va}a!iWIFk(GKVskP@9A5UKgD!_OJMo|tk~ zdiJl-u5hnxvnb}M&k3rxY-?(Tsi(yhXB~NIn5h=NJ@PZz>u~$y&02rE^)dEM4~p=H7X!uL&Y)y^kH`<&1B(iMUP}yw($B#hU+j(;<_+2#2yNsX0u{Ik*GmRpXdieLq9v z*eW&dged?D7 z$JwafrEXSM7Lk6J^_s%o=B!L$NGJU63OrVIf)oz99U6aAn)dt> z<72q_)w}B6)}n}tkofR%KT|^rD&DKm_Nl%YMH(@LLL_c{=u~F zvN8O|d`y;I@}iHeyb!an#iY2D&9lPI*3uKe-LhJ%h2q^a>Vg8t@mlRHn76#>nHH*_ z^B`?Sjnsx91@A{ppR~bGDwI;H)F8$VCQ#I9o;J`?F8_}-6z>t_yClm;e-9<~3%}qD zrDdHq*;i%;mhLNxi%Gzr%jK>!+z;Uw323o4DEpAtZ+&px?zU=jjOf{mG3R8z9i>Yx z2mLCn9wIHH%8#5B){GE<$Keq#d3Q6MUY<4 zpZ^Pk#Zw(B@_LPk-?2x{v|@h%j;s$z3vG-WLV1q^9=o@Eek36UF`2$0`H!}MSeuKE z3F}_!s1?2rhJ)FWjG8zW@_E6L_r(HjoBBIt5@lMo2J7Ky)0LIX{nxm7n zGuz}{5PVu1OgS0y{&WpLpw1I2y#izJN)16BmcqD|NLvfTAenvM2WcQU9b!a1m!EU| zh5#smNTm#Xojh5hdt~X!V#~oMMhe_fY;atuvNI$JvYN?0IAVOJt=0aYCo;2m>=zV2 z2Ry&4^wk*ItPW49ZxjA|P2y3tuu)u+F|g-vVOeJV=rzS9elPy_3oEWY2luOsDkhU9 zMyL%MAmK5{+=Qg4vhX&!#PUjhaCBq1&P}C{9!YM#Q&vvp=O9*=a#T^6N{sI3zMrXG zGm>bbUd2s;H&I{3&Nd4c)dG4xX+~*Ier*)LA}Y<<)9|7;vf0(#nM%RkjV|e9`5#s% z7DhNo*Li!O8HjY$PT*0g6nsqhx-la65ms%^H#3g7NEvbUd3I93(4#|asYv|6wQ8xJ zEA`RCzWx(oVljL?ba)oHE|kacG`Zaz;72|Q=4$j?hcMA?YDhlT&h zpKX_==F;>e)`3nJfv7uajkSxlL+UlZExPPkbtmddtaA(}#5mXTzKhztF@d4$cJviK zf$yk3+_AB^_#z~Pe?y>uC7enL{z>N0aq4PBh~jUs#p8l|X@5>6^X|@N)5xIb4CX?~4$c@sY_qxqh)*Ti08_+<4V4YxDr&Sm;_noYHN}=?AgLb@L+q@ zfbWXXWP*7AtH9g36uKtcfs><<$eD^<>B>@EvM?m(_QX^w%UM4VVHy!MGf}2E;TdG| zo#lIe`75s^`mQfiz_!HVm*7Y0CNublX@ zgloim-~d*Fmi^9RI6%tIF&aKbXv+^37bD@VPj++p08LvAdfb%Hymq_Cmzg`X$;=Gc^QGHSR^J>_Q zfok@bRqGZDl_GYcc@?#Zo;_A|;5k|;3s{$9s-Wj+Ttz`abEfyr{TJR<{P8z|G0}Q| zuviW*KWpiIY0tGt9hal8@{*yrtz$^H+qRdqLsJF8?!|XG(*_*7;(T+xG}TJi7ou>#M(KuE{amGXC1W!Ch9lvt`ZALL9fWjf(F#>PYiDpHkPw28|KE=Y?6 zvK;n>R&WLCIi~8z;c34~p#LFz%A2Y2W@903EbpNVlzBWG{WH69@bx3Rzq#>(WR}EtdFEd(tzTh>g2OlaZu-7+5n=gD^3O-+thHXKu})t zI^8FCfw{nRr7WmgD|ln&+dLV-62~0}n^aQDA+%0`UtcSub*rLNGkghWPQFckQ@TDj zZ_#r=9yn7yy-%v2Ye+s8Q{NO!`Ccs%rn)Cy|L52ez^S{Sq&>-MCMnIEWfe!4_MgSw zqQ11+*VXj3yve+oe2JeU8%B{3*lN#2(|Y)=j>-L2T^K;ahd(aZ8Q>!Hxmy7%BO$(g zFc@Hj7nhPO$B#ejBvSf!Ak2kBCPUUkDpHGOTjedo(J{LjxYAuebYKa1!qYV)<85x<>C)U$_sav-K!LR%ECS9K7^W}dt1)4@jhlZaznmdYmTv>=N=}NrN3lZ< zk{$JHlMHojLr?03DP4mZ>XYV+w<}=Pj z)u)!vyscFu!sU8Coj%=}JMl{&uWQ?ibM(X^q+`!NYG1NfG@38^bxtTK9L39zz0gv1 zoe&nx*(U53rJpd6s*GtthTThuSoMU9H5aUYxB?6v_5wFWcY1U0KZic|<(2l6C~{_S zODMwgX^zJC^AY5+nSu;kte-5eX!cBb9^1l@Cq)JMhZ9$`5!0Bm)jnb<>d z=y~<1)N*lFeWWk$vUjaW4nr~_BjLx0?|{H9C^8-OXVes&h>=#g)_bQvC_>ZXW_=y| zb}!4CL67>vFu?UX>FpuLC1XK%`lLcJ#eGVSkH`qVn~@URB&rTyH+$(@3}(LGKwSJE4-4~4z|j|egCW`CMzgIE*d|Xr5 z3f>1@)_*e^Z`a}7{ARdf`k{ngupN zep~s!1|H4KpP2ENAL497TBHx;?!n}50jE4BVn>dC%fynUX_s!$BYtYvyDKhedQY=(=>%-n9sI$!BSdd;7C zqAobAd8)R5-Pp2=LmLL)sD%c8bi1A|nxz$ITOxo0O*((@b{{y9GF$sGxvR<$9j-{U z)k4*O->uut0WzO>=pkEN$^=^Hdp^yK0Ry)J4UH!A&*b~$!s!2gvG#d2>Pc=9IWJWM zDxI{+zu_2AJyY|LNc!a$_Cb00r~BBCFYxW+m7`4VL?)Q>SP4!ZgxIX97&5>l=1dz@ z>`b@$5uXGE(voI3_AY5fu+m{K(j*pH(=`7qCR z>70Rk>x^bZf6K&?hwt(*15|_Tt+8^0$?m0`hsD-qeQ_0U?-vDuATSHb|4i5PcYM%O zKi(>0;mbZM7=jhznNjA7QXk7bc-Mu?#!Yd)dh~yDw8y~=XmZ7w zGp-rqHrMWNfU)JQZQsv#6F6%6R=&1XVrw7iKnwzw?Wc=nU*0mYH3}Y_M!!3n!;F8* z){f$%gK+T0-s&6;aeC?u2vDnlE&Uj;_TK(mWj}fB^7AKcNP;m3|IMa5J5m|ynNFcB z(Z2;Q2U-5d`DCGE>7ECz8sK-rhbeXI7k`XH?t*(p{fZnn0wJ^@%%P%&3wsG(z=@M^ z`Z0Rw>ARQXg1uj4zF$5M)6l9o*T$+#Z!vzm9F)dRr+P$B3pjf{PZ!K6C~c4z$)7V= zx=X;pClfQYqB68716oR{-(48bpQQF>3J--JwO)Ahjj9g#C7ZC;OJx#sSDFZM=uY-^ zDU6RE> zf=BPIy$b;v*CS*{BNRtRxT?h}-_0>p8_YOoZeJP*JIHr5gO>ZoVt6j;3O`>9W&HT{ zc`JeX$eml27q>a0ZS9y}n!cdVlitrK^=b9kCg0=)%$UOD!Z19{ulfID@Y=i3{W$Bp zD_LCozLa=w)J3}vnwR_u;D0%;PoVGIQ!MB62RY&D$D!#X1GLVES7-q#oYH&A+?-*a zR+X)?X?dV3{j^M53%btLj&#mAahvyL?rIjW4)Yzs)4!$gL5`- zIQnvPJrcj`$rW!>?`)m#k|SGOxcg|n{wnIMAqaL#EXi%xopnmabO0sq99;Al&Q79= zh#!-pf5D8d5q>5)o5U+qWI<83OV7|{)>$pu&TkGQp;AS*OQmX+kGth}k!W699*Rw_EKe7JRVt?){LTw@!%IWRLiUYz>D!U!gJu68wY51F5 z@KH+MPIDo|Dt4=Sr)?~MXP{>!P|?Vvbf*GIKI5>Fs=>qELMMBfSGN$6Yj zCGdI1XmIU~yp!7*{g{TVi8{Bpi3E68zU%AeZKxJ47C@&eA-wsab;XxEk_}R^`R53s zc)t>b6>f8o)x(w4Bqx@ZZf!B!U?K;?w^}x79)1_g?Hb*F3^i2L<{RcKRMh1&3Q3e! zuyGf0F^4?e38d1@96M`r4dv@9Gbtzwn3em+0|V0|cs#VW{DdntFJ92lah>}pBVu6M zX5_RrW(YXFKbDH9{Ru=jDh8^tYX|liqVocUVY!&rU8`24N#=Cj6W2wIfNS2YmRbEZ z(`nx>;9v?oLCNe9%2H0o_BeRv*-Lc7diC&t*0&q<-2c;~DCLU_!vNojWNDJTcvnOUPo9_wm8RJJ@ zsoYvT%f&{#-wingrvg?5L%~|PW__YCca72}8O8}|Dq`ra&6vTPFkXSR- zVb^3XFYAcSdi5vNrw2Y{x4K?y8+7Bt%*(~q>QAh7<@BkF!jX=UT-OKD#c3jQ*jyP@ zYFHUNqKbiINpU^EBlq0*+-Zn_o^-+!V!-`^_PgEzHucT&fm{d5CyPY!{TO@8!I z!EJ0Y=&8b0O^%gy-qSQEp9-&UyN$>2{?f2xO%o#F@tZ2;Qf3|B9MMWe;7nu~LJ&OO zd5TiZ234Cp?{e>EiDY|NEi#jkn{Rt#8d(B;EyCZXpU0{>USPX#QIqp_rDD+80e0dnJ~3qpO*3?)FC( zJ?(6w1UALb+$6&4b5mkW3A5e3Vpm#Y{p7C~kA-Zo$_=ruinK+qfLM{jFV&g%pqWt% zapqun{kLbPHVT7X2@hr>L^KphIe)a=0gf(LJ=1IwWQ-zW;`Y1+f3qL!wgxXSZAenqAJt*z*@U&;Myui ztv_3hzxWx&S;WsCw6fw>P~I6-vCr z`^{Sw9Uq(`#%~=|e;y6ayy#ISWixuhMy|e)s$9Egly@>D_~K3j2-p;PvTAa1*`Fqu zrq3i&bEe8n+LU0(6^b*ByN|kKQ)Kp53*X0LQw29gD+i2sBQ0_mv=}7pTl`#rL6h$L zy;;H7>?62u;@&jo#GvLW%MC@AqV0SMVG(_}S^?_|j^Oyh+U<*);kf0Kz12N@}#6YL)bw{6C&WGm;(kD;l_pZ#Ce_ z=R7fSG-ES$oa{(PL2g1Psf_EmL%fRIsOn1MO2*kO0F{hOw_Lpw)>nS&oHuRtPB8~v zu?;;Ax3KWpoLb+bkZ86{!06Ix`(Eu(A4!y)v}D^luaa+B@h#b_*9iA4)~psf?0<^V z0@h%f*9bM8dGZqaQ*r*+2?6p0T&2;8t^=H=iOy4(vp)ejH^lDheMf?TcWMl&0?ayC znq1+ifQoWA&J}a&@5=7%%+W+W&3@k6du4i!Fv4~D+)LT0lgT;3bn>6Ul2M0v+Y+j*GlM{E&Px6@ug0}NR)}$2NwZPT-TT~@K?fF<1Vc}GcACstBiay+Y!Jz zP-XqM2DR_=zp}<(%?peMj+31~)c#i`__N~HcF};CIzs-RWblLI#s3d9gDI{#rSZ^h z2k&>BbN;CD?3C=|GAButi?lKx5Td+8sma^uw!s;J8Y!iBQ@uAT23;_ReubsdnELI8 z%QT#Hr!`O<#U4fZg!x(zR!x5MX+9yAkFc%2AqgORp?tebHWr5MECVCvJcvP6S!d&I z!~Sf(GY`sMD`9W#I(_1uOvWiEsX|r=>C0Pfz&RhI+vhCjoe#LP#`c$c##0eT1(24w z!(p|Mxj1^7L!%=nhIn41hSq>b_KX3`BT$f}1}PNHuS=Dzwf-&tXdi%+ln!#;cy;u> zepHXNfndqBrW+JG@$*oN?cTURN9O(12)hbdQau!jM(WwbOfIj9wcBh@UZ}kYJDIvx6Nsx)%P+!TS{QI2?cUa_>Y< z&AJt_#nX@vrMNnw0{0W0^R7Hz7#52l&g9f)-tqK!i`dEW8OUNOx-0!x<}dLAY22xK zfdlyB3DXlv-2syogy9OtADgw29k}~_BepYz>l5{-YS%>^HeGMB?J$1q8xjbpWLCMi z4k6c%Gv-tltNMiN)O%lE3a%Fw7^PQGqWR#jDPSj{cNiX{NhakbMKMV={&-*aYPmbs zWoxRu7XQs_Z*O0Vss@@!Zg$udAS)<-iKAbBLKiahcy>6uK5k&v3k$pyC{6RybHv%6 zuRr|x(S-k)zYv8gs*>y^V$~?8{cY|u)xx&EGmc#t?Rb8JhB;pz&g$3O3Qpco zgVjyy9`E1m;}I-DRpW#9K0!g(2;Ou{!S_9#uF%}mLl7UaKvV;y4klS5#S;Kn!uD)a z&9!qDwOJ_vrj8$_>(2pABreL^GPmgtx)=sAMY9EDP=MZ9i5faR4hm7<$`ah=;#$2z zOCur9cA6gHHUY3&$F7tppzBSf-p~B4af52$rv{5E&{bb9(;}UOb}9I|q9Qav`5|e$ zXZUTMcPA;x(?vVH{h9!cgv^0I)r9#}Ls@NQ?y>G-7_()4|6FsU$fgIx$5R zdruE3MWS1*lJ@K{Aib)xxfT5C_g$Ja2E+4d>_oPv)s>f#L`wthc7(V}k%V>pFOZ=S z0&SSW$CZmu4E=?Rd@&n>83!0p$ln5%sWwE|w!uzRZtGMja-pL==Ub$>Hy$0*)@(mv z!KGI6{#RFFcu)S4szrpq=22ef~RIr&a$r~$o?Z)JK{zWEPF_)GWfp4hvUZrM(wJg*WJDI z$KSxn)i9%1xAQ|s!W)h9bm|;MtK)wGI4isX#K#4zqF&OTm^$tu`C^vmfWUP`Pn0Xf ze`F^`$w+-+`ok~SwNBDKlcFLHR}L{_p$UV}zGqhJwG!Jf z4=j_IDcnqao;V@Osn^5uDQF+z*$K53k5kP!7O)xtob9A0N1xD|Z-oU}*fy69jRrGL zef$NZ=_Kv#?+N`9$cZTD*FF9K*L;Jj_`@5i*Q0mMb%tPHOwJtCIN|zl5;?7&ZCc&U ziZ2QK6}~tEsp_%%_^a|#sM^0+Ee+URu3#I+f9=T2)oA>+VH%6jyzTBmcWRbROsDe( zrD91nS^wvxdOlvApZsp*(?WpOhKME>?)@goQ}Xip{l~LZC3>sF{@aAgXNV1fUEu|X zqHNjd=}1T?>A*z3by(H>&(b6Dxq@OknqLCfG=qVjFkL!?z)yc}27f|y{8_V3-ewfa zEl%6)YG9;iER9$*67NUx%w1N!w^`KJ1sbH7TE?H#g8$ z|ET|q{)6V@TyiJ_zo>0aeWWtQjut~fF?NNQ9Y<69yyZoutShs_omJ81w9{mXJf^vkoex-cPSIJRXOUkDBK? z?p8F~|AX)74yuN%n@hmk_3js!QZg9pVu~)2`o@;1^jYu*m3uho=Jr*s%<^# zJ+s)}kW=mY+qNqo7NSz_)mUifp}8ti55{7}!5e@g#n+s^M~WO6u0?$>|TAGum@wXFzC>lg*FU21WTsnHevB|8(iKeK^V-RmmheM0=QN`3iPx9UFiNClbs zJT6_{w2-ULa~1z0t`yzV$9>{dZ!KRLA6AGm98w{mn8YGyXz7Brqz*(l@c$&70r(b7 zRve$w^HXSKaNGQToL@c=age-$a;x0gkD_@wW9&psOar%|~kI!3WU9@}Uf zI(@#g<5SY7XDH*d>Hr{Gdf>~%=d@iMpiJi^>G{bm@=HWX#!K|2g7=*hSLw+1Ij7DZ zr|(+Aip_0ZOi`%m-3AiW#5$2ZE8rS|vn|jAxn}@b~=`*zG%w?{x@f6s* zyw#j3*0;4WvJNM|9Pk0sFPJ|9{eE}_dTy#f1(XuKfdu*ZB|CH*Rh?oq4Bhpfb}z-- z?MDIgje-vnH>g2_O(el)1&MFNWtDE(U1C2qUnwzQ2PHx+UtC<{Kp*5EYDmr1`ESek z{!A-AX&ZCZpI(P@4;q;!^I`Q??YpV0)s=;R{|k^9u7;UagEKxdG=3a>ryc^7r5!oG zV9IhUFqjlqi#t^k^)aD!lTVE{ZtZu=AY9O4OLx2EK> ziefy0qm!PHA-1!h+yVqX7kEnEl{zi-4hD&Yq{r4L_Qp36Q80n?{LM1ysD2#Pd04&Y zn40rMvt6ob<(no__~(yaEsMdGen0+A*@jLZ+W`JG9(vx1c+#O7#XI0=RQv95U5RpG z0(4`sQoQXc%cc9kv-87YBRmF!o4vLkt^=%|)U8eT9)0-8?rx8fA}E5U)A|~L&l&Dr zX_|Kbp|%V4WN50N#s^cy@67~ij)tVW(s3qWBKRslZfjw2d1C|`UoeM$#K9bssb(qU zK47a!Zm|n^D}7x4O7-2(Cjyj@Oj4q>I-s+$RNY}o*h?GE^{;@5r|R6RChT<*j2YTw zm2X!Ldk|Qhds|c>hxMGT-~!kTD7-78@`js!_2t9-_1gSFf#>NGZb|9mNhxMwh$39- z4%ZYQQc!_qm9PQoRFM$iJOz(IY6rE+gKrfFFR*sCnZODWl1@9Db*oLIY@h2zR-dFU zDhH*7nBTMi=7W&c{hshLb)>SiEN{5hfcnOM)4SDMdp0A!VJOQhSa@kg`g$6?-mD%( z^TCt4^E!{m(vvdu_;y6R)NTm<_4f4W*C3;gG7rv)qHv-AN;OjMylp?PDKEU*lADy_ z(Ykx+g2T;Q#BBF|IU2(R7{QJ$y16_-%wmdHYdP==*i7#sxZlb4%s3(I69Y@dIiH>j zEzMDw_rXJ?5bkB&SB~qh;T=>L7Z`EoJ*?7jl0Ms`U|TduXR~UB9ktUuO7=>~JK`%) zlp9?A!PdWR!XuuFkT$=mU5V&FPVqcmMROg#F}g_?eATv-wAc~uW=-@fuix$WJJhdRd+!1)luW3txy7X!{C_obKK@MSaU9<%NlNl7CqIg; zOny}2xH7UIer=gZDOAqM{HXaEljZj{Y++j{>8yp3mHaxI`H|#TPDHk%W_Vi*In+n| z@UVxL)WmuaB(NdBYvqsSHxV7$I%TF_sE%JetE8?izq(;kuhU$EGW@(_n)B$8u)D;x zI$Y;$lwGsAhrlY2Bc&GklG+EXjxc?8$Uyy+ajZ_u`%3t)J(k6Ho(l~83Xwipa)Ub~ zUBY}&qMK@;{*3Z+C{cWy@6$UzylWYByM=GZJnL3t9Zh{jri_oamz1v7>my0!xA^3S zYrDGTu=d3a8a0(RKTDTEYg?z1uPTxdg%P1nhm)~N%L$J9VrHCQ0*j!Qq8m_IuH|2T zPsM1eX%XXv<}uc(ry&9Msy~1xGA&g02w{yn+ZSxp;tKSN1I^uTbQ#yG5;$Ypa|hM2 zE_68%@U+v-2dtUu7D5$m{kikvjENZAqm&M{sa6&T zR&ARx@?GhqN`t7jw?s91zPuS;Eo=FHpQOGbRUxM@vUFB-Edm7Uhv^Y|S))%ONAAj* zs($h$u`#h|7$z>MN!LPnSiUwm(XuMwvuwOCf8+uH%akpNC1MWLJG|#uX3nov8hz$6 zmb64)Z;tC1B>?Nc4u&MDm8@#R%?V8pgvuUMZB%GR zPEh#%Z$J?@6cc!Y(ygWLt-p+moUV8qt+YJ$j3PtG=Z`qt+Ymg|zfOX!+{3b0!BWFd zdA$zCP?+hP+^i1YG`WClQ+scE_8=2HG;uHlSy=W{GPYQVSJl%{$D7(Te{6Q`cbDc1(@|S8xHpBTjEQr*e0Ho4{%qWFpi>#!>uLtxmTz# z&oQ@3V$<>TD-t6>#rd-731>l>Q~{`--CB^XKKXb-DyTcI74!K@)((_TkTBUI^nGqk=m(+!sOe-8WqZFW+mgt~ z`}2VR8B&w3*_49X^c!crQNweQebJ)dxlugevJJ2F7Zf77b_ z|6_dhax0(bbM?SCs~`e{43{(A6MaP__{oPUo1knRg2Vk P83^PEN5d*kUQGN8TyyO3 literal 0 HcmV?d00001 From f8139e4739e10a76d053cfe274ff02aa46cdf40d Mon Sep 17 00:00:00 2001 From: Samantha Robertson Date: Tue, 26 Jan 2021 15:04:29 -0800 Subject: [PATCH 199/304] Fixing typos and updating --- .../images/false-positives-indicators.png | Bin 14102 -> 15655 bytes .../images/false-positives-overview.png | Bin 27939 -> 27865 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png index 733db3cb46935defdc17fb312d25c927ea95f178..e30347f04cfea0fcb937b7a1730202b307750fc9 100644 GIT binary patch literal 15655 zcmd6Ohg(xi*Kfpviim=MQbnYfC`fNd=}ka-7diAMy@Ui5=>jTEy7VRiq?ZJw3(`v{ zfk+7fLMI^*0^D%U``&-x-uv8dKTk4y&n~lO&CDvlwI*8kr7HDJrkel&fLdKm=@kG# zaYR1fyMB%Q5C73gK`w5*RWtPl0H|m$ewW7PAtV6cAwXT}xj{hYR+ihQo3SMZ5w0kyK*?0{1`_OuOtI*d4U%xFo_SJsXiWrK$nRs3NwMZdYpF2^_<@(Ua z{X9qBv99QfSH4r!;_U0~>%kXg=#6*nl>b!R`TtzuId+fk zVCEcW32Li6?i%&M=EzH(fF}u=+3uhdP5U;5Bg%6L7$zh*&=&Gf7fdKA$HGFo8*;?y z=Fis7xf_X-4m)!A`N|WA^`#nXrJ{>*301Gw=az0bTc-oHO@^KSp|hSV3AyMmz-aKX zwvTf#X}B%@_GxdM>@KGNnOgo;VoK8|?FjK`l_z7Qll}Akhd`N&r|E2pubdTC&7XU_ zS|JCNHX=fNw|h=6UEC^!)n?cmv4`98h$hr1Vy&9*Jq@)4FfPXaH= z(_Vc$5E1;DOOop^mnHdL&YK%th!2)v!58DCZreW12q-Z6BnsKGwZ-^s-h}?x@%hK$ zBZ@+oCC6|*lf1?R-a+K}&XXCr?$V|GO~UyOjPa)2uqWNPIpm|KHE8dmwQ1#gjXy1s z5{yAk3*{~ow#=XVYW@gB4+%ehl+WA1zL_vBv&lwuq~IKN))Vx{<$YN#5KHfxfTG zN~>Wy!C+KK+TjX?6#UABl|{-{HE{2z!qExrGj;R{?~%E^uI2jTuChX^(X;+hs&K97 zR_9kN+Mh-c$7`zOHbO1!lCXbN?+T8(aS)MRgQ?H91?fOT2VBg{`-yrbDjXRZYqfpd z?)RF#c;dOc)JvVHAJi zkQxR3S4uuy*?UA6HE?#k3O{F9^n{%!38gum571b0UaLzL44<(X@xO;JluQ76dFc;$ z5g~D|6Wj|IEZY>x-~5@n`yFpjV;Lqt2rAF7s?ejG4zkz8)qexa7gOjeNQL3*>aGs@}ROxQus?x;Io! z3GeX+a-JZH{E@3bJ9(>^42+g1ym2Qa-um~F#dUH6p_Z6`6io~EGr;a|ihM)oC3^#| z+zJ=h%Q+dx7bLX*6q#iUHc?1lVcJ3(i~XZ@08_oZJTo1{5hX;ha>g@>&o++)E*?Ep zq>=Y|G zf38zK$BN$X=P|-~vx4`3t#E}>@Vv}avp$(c7_o^Z$pD^Ahyo~woBJ(?dal54o-cMr zO5g)RD;!wq0qEO+NB`V?emz+0KdR{p1^WeQuV4HtTLIkvshAovZX+5#Iu4x;!FnhOXEj7vD8+!<&P$yfrYsz1j;5r@wMYzc$>UbDhiUuZ!WaUNsGH{xL@`#Sueui zXhem&^k&`?$n_C`fd{U2zQ}&I_}$CkszuOGqd@)3tR% z1T4pa)(tfNA#ddf?&i!{#Jy|Oy>qs`v)%N#8a(2ezh6*mYS&V{&+W-Pka2bUo{y$F znH)^Kan?z6&QUaMxjdc{Hvm!L+|`sbtyq={Do=c(b{SNOG&kC4`bg0!mt~nYDd$)j zj23W6YgsXpO<9F`7U@VjBPO!%CUjqWrocEqc$zc5@s5Q_qRKRBXMVcuu90*prB}b) znr$~LhqLbFH0&U2N6R1SNeMGG?@GF|P^LSVC*J9~l={smqx>L2p6FN&>zlJb-Ek(k zI!S5pnvAIHzuESIQw#VhU?vIQfQm(tm*JDVN$l?eybNaGaig{})96ouAH!=K-LG~KxVxzmoFTyukQxe-q$yef-&Cu-D*cccVUF`$+-T9>Q)T7Fr6@V@9 z*je}i+1|JkwO$b5Jqt{iXeRA2X2~yZ3KVS`BYNS+_}ZLFT1e^0Q$t$a!lR6`>*@!R zo=lBy`m#w~jdRb3JM}HF(=?=ZnoZ4}TsOV=G3Bjt>rK+W%}Nn+%zM05xcUh1O)q>r zx>zD-Jp361iSM*yy|et>y&t>|NE2y-`(j@6xf>eKupSTlZInjVKWUm8J^y00tLc3c zXjq+}>yzc=bRUduT$=OdX7NjHONZ#0jJ3+HA9{b&cMpGk5Z6BJriJH5 zhEqk;YNUyXKV%rMyZLxfG;FIo$%YhBa!}1^;Rh8;q%}VD0xlGPEM=r*)xT!gQ~Ql< zJN|yqD!|g8)NFkgg}C)oj?+suT)-&Bd1YR4<9(4s`KO+$UX?MAA+JgX1bFFMJ!Nr7 zI$PV=C(R2C|$XI`pKm?J%hV1oh;Xq?U-?ZnIv3ukG{F)53c zxH}5oy6qe&NpPR-%Jl&5h(OrJZv1(9OQIG^$W#IEs|=honCvUA!#Upc<5R|_A(Pir zuG-&=uSPU*k(~S3`x6;A!%laHOxU_CA0?R^_qn=j6zemn)~>zr3LmmE&1eW?yy z>6p)FwM0mV$%AO_5Pf7d^W8U%R#cBPUNm>{cnP2rf-3+3iP=8+a zu@v?QK)VuSHMxQX+npBj$7u&B!dbNz! zi~H*)tbr>rd#p)5F7E)^5%39E>M4nQR0|w9GW8s3pnF)9$ZSTH3lHSv$sSgYvZfuU zc++p6Hd@({1!Tzc9P>}zb+Pf+@6%yu(x>O}^r{%|$43mIZG`HcmX286a*EYZs>!AG z8UTU^{`d@bmImj`rs)U|cTPI*SPqrIY3HpZj}#tLm*;i8YJZSVV9!<8DAtvvIa zpXYztu1$M^Sz6$Z-k=HoL3%5(M64gGkR)Hr4nc7|G~ zg_bEXg}m}dP%+2A<;9p8x!j@@;F2%ciY+oj1@9UvL2M6 z#BF4P&@{)x`9^hiu!bzRQ8gjKq2De$=4m z1LnoXaZt1od>n7P?U-5Ho=_jW;dG$eBGFeyZQYwKXveSfqwY=}*uh#>sr;tqaJ^h5 z{|y@QTz_h4P;Xj)>TE2DY{@@&)^b&JF^7oVf;hd6h)ZnpvUpee)^SNAohGNBm2f8| zN)8qyO4EQ)Qpst2H#jcAN;K#iy~6S3JXLL?+A)V21E{^fzwg*)R-p1+Pnw7B(?tGq zyZu8?J3hike;e<=lEbEXW#pad)NH>R&@|p&AIQ6q5F>dW3w?T4>fU;(m1=aR#a}f9 z7$96l+%E)&Q&bBT;4p`MW*vw$aUO(Fw1}r`0{;DYZ#=)kuwXo>^0vio###a zl{C98={%d>FdF$KI~u?Ah>4G9BixQ;I{rjF@r#0GM81>pfPx=lZ(aG0PaM+F5{n5u zGvxnR68Bl1iuBCm?U<}>S3g_~$HL>Nd@`6TUa@B?Mo4;x)LiRW1^HBbsLY<>VQD*x zZEHkeQ-Dv49i;Mm=P3@ZjUbNl9k9~$5cUIZ+rpcJZ~B0L@oViP@;omucQ{RzMZq+Z zK+*HMm_(?-V$ZcHYG3PSD>gjIF?Q$2p9RcplROZ)-HjKuWb3&5k0e{bV`<-S-Pbr_k-p1ep zfj6;YE&66>ua2J@^*5P2S-k`Cn4i?tLhAU0OxI4ikyPn9i84VdTbTy|a4YYd0}QL0 zD$;DYQK{sgjaMvh#2)avBfZ%NMKqi+%jpW=Ji?9b;P(85Z_$3silpzj-7oJ;zhr|C zm((urtNfxl-cM(+1W&OffUAC3XSUH}$I~Rq^w|&n!@uQd^F(%-DF^efEomaln z!qb~rc2s(t4JK5YeQ-7VLzBDHlTyJ533UU!qp9lrSh^T~wpRH3%?w>&Z~OhzTc>~h zxy&L<$+gSl5k>>363Udf<^gMU*nWgWtS?4GE%PP8m6yLt!XS?VaP6tK8BT zypjQ|O1E78$E$v=`q#?NwXbVh_dLw00doUiwJlQSt=IwLl&jL?lt4>OikR+mV3vs9$;Qe zP;aVzFX>X~-owx5U=#rif{_4<-zdqAcBO3ZE_SXj#R7%1&6B}aaSqvm_HOQ%|B^tU z@c!$FZ7}~l7(XzE_df*_N7xnQTQD?dtLr|5FrDI)vs141v2#+m&w5~SK?Vxvw*Fh+ zO6@y^YZU5i3-yvL2XHYru!P`^ zLy{qs^lHN11%0O-6 z1y+HH26>NbOAInh2kd}Q=CVLcOT_=j)XnuoOM> zcb2c`Mrm;om2l&0<1bfU3w%;bHDUCCOnSp04XBXsYhso>&(CX8v(nBwS*JT`~A2`IC*|&nzPHwfL9#}D~$-)X06X8wjZjb}XyL7ruMm&55#Sq^I z!GP(6pcMt?pg)r`A%w7V4{oGOiU0X5yQ~BEZa5Tn7~ea#b>7^1CJzuy2-=BT?Vk@m z7+l{U0HS2LPfl`(r8((o>!cnJQqSgBrLznaX%&np3N^6SWHr#;-@7Mj!O~FnKZAW=Q;YZQ9!&F?=PX%noq<5-S zkW@(Nv><6J9Y_`T2A!dIa zc16=IN9mH~`Q^Vd^yPNjFV|4cdk@QXtJg@)R!=1botkpf5#N*hH6%wsk|i&r5L!JN zjb_MV~yg7C#tOW!F|XKTv4%5UCLFY~Jf( zCTRB$4hBwu&i{nbe0em&Oy(Zvc&hv=aFACb=iyMS|MO9L){6;U|ZQzZx`ACER< z=VS-1GJ{$sQjR3f_kYibqyby@-oa`ZvyO$@5M*Lo5O+ol`(*!b!XL z1E#RkdT=PG^uF!!HVRiHQJCQY4@5oHo;cl4ZPOC@`S1=oGR>(dGoqrOF}I^2E_2wN znru8UHW2zd$i3~n9Mrpj55xRcQUH8sj3%Luvry`Ud4KDm^Aps0tKrVGT%-I=>B{K3 zdYEy7+!7nZRk|!8hfzBbVC!y2)<{8;P7=`4L3z2|A`H!zs z;%JYh>hK4b0I!3{M6=AGSPQ5ZT*yfL=bnFJLys?vC!amCH8E_2i(=lp2wz;-AJY`_ zgr;G+xcnnl0DxuiA{Stoj&_n3L0(;o7g|Qp^F|ejWyOM-9F7;iP7?aSB}~TDi=tD? zVTY8%FUitr!sp;TxV6z=IUSe?UQN@AkL=cM^O|wU*9@io*JKhqm;izu_AZ$%9d4KFa1w0_TSM3Whvfj|-#ua{{h=IB zHnwWonYQ$wPrl76JrTIWm1^*{v>2Rg>fWoxv@R; zCC|heyP$GLn~Z_aOt^ArGygnj2WI|8xpV07`*M~0h(Lb&C5=tF~=yr-mf8z?6;k6dc&=U6H)lK ziB6N73DDS8hEY>lEWOjPS88Sef<$oWovIWT+_YRhoc<`$exNE=WId=QeENZ`iq;fzwN>?8KJxn-nMBvEDVtqfu`B|V z;qIwH3U+(D3$OSjqFmPV9M+b-hcu;uZPRgIs_gH9Z)Yk)ZUR zPeCMjl}{Xg{H%8)*dgN83O18=HygB_MosP1*C?*_{mO*yKAn#2)04^*pEfAMbN-)@ z*N!2#5lu35R5xYY^HMBEP#$;dw83QLI3a|z45DsDB(uP@rDM*cdBTgyb2g}dGAiuv)l>z;gu zEiaoUy+=jn+8jY92l19DaAq5{9w=ShY7pZfXYA<~()6(~aN2o24^tA%XR%+NUFxtV zT?`xid#tr#7X1>%HXCn)5YrP(+V}uRj~oZ6N$q=ry^z<-NL{j7#SX^O%9%#-J5i_K z6SCKdgL_L)RLwB^jnK*5I!U2!9ib3^w0ZcTuXZ{W69NlfYE-&4my~O{gMt>v*J}|@ zTC>@$rOhy2NIiyw)_#q2gf9^oGN2t^rx}Z@aKPQ_9sX4RrmxN^TjHL_%T$w|H|c!| zmx4e;u{8Lp(Q;=X10pxkCcwJkZ+%REj0L3Q%C{x0_we8o9@p>y0R zyA;jSRyP|G6rWxGBKN%c<+jf;3X*a{+-9QKVa}FEq%LU=H$;63F?=v>@!Uq=W(qH6 zMi>Ck=k)pu$*~j@jYuWmu=(E5x2K2hKhtB~iZcWR4WH@l4!99?d9~-SEBkK_8%_6w z_8SU1RR1urXjIhz>fh8a&7ACy=GUe=WpLL@if{U*niJp`mhpaiLxT~+iYZl&%(R_G z7tNPW-uRr0uBYb~vx*6uz2ejaJfEo)R@iH*_>tOzX47a|#0^wdD=fz*WB;1N_JGVW zuZ%EL8zW|!DNDsEZ7us1SY^a|{II;I1!sg?{|J=efzVeqUzHXd9EizAW9o*`(wH_6V(Ksa1m{{5`$TxgMnFPx`Mg0aMMF=5dc2qJZPTPAG-wfolvKDrDW z*cHCti74PULq2TT9gq_{+)w1EXyRyie5-li2vrsLc^W$!GaPjgC*N<|tV*qvbFIR# z$9d27-Hu8ZwGYZ?-Mpu{?_Z|ib%nJ0YrIt3gp3f%_naV7!+Qg&LdYWYF!ag9#>lJ8 zsioqi3kF<$x1XsBAr{Pis@meO#hxpn>IK6|23`%mPZkfVAGh*g zp>n>Sj=!(K`LWaA8r}|PM=l;%eQ|_-rUN-55A>OCk3DU&3_3ZOa|u4YbB^(`o4U_N zuNH~wjH|%vbHPcg8HC%-JoEO_Vr^5~geJ-0w(qCSq^)a`Mb`183e5U3d?C4XzPj`! zOFZznjiJ7JoaxcO2&C3mE)+PgO8AbV5^W)Q3T>~&`WXGD-v*WNwf z4+9$$jF-QDY&W*ot8}SlcaMHT^OIk6nuYTvpcMatZ@fz#667LCPfK&q{mVo6miQ&L z+=tZow(3DM`3J=eY?eFf1zsqMTme#GFyHTHZs@zMh*3EvwjLj@MGj4!0M~hT9x-77 zNm<#oXoEV9!Ok#9_7eA5Y6z=NMSl^!gstkL*IBi?iqLHh^y5{JZjTDe{=M&5{O?z6 zYcUQ@ZYMK#W6A^p6g&U-&zrg6Zbigca)mSpjej}YhI#xOruFn-Ni)x~W$_HBZu}3) z?JS;0P#p{Td<&`Zrd{Q(r1yf|oRw*0%R=k+RobRcfdL0`1M+bnmS2XLs> zzxrc63%>h8@3FJtqY|xIAqdgEV=)Dw*>F;SCK5O~Q|MxAR{F6UGb7u(_jFRu;x?;X zkPoM50ND-ya+_T~_|LH6o1nZ|U1SE*A?hu^Af0uUWN!ky4jE=K54^>u)MQ?iS@K-Z zZcE)9VEf{|PKP5aP#ydFH(u+5->KARY&2AHDDK7$ujqs7VQo|6rU4sPazaWd*Js_@ zV+yhtsRN%6kH(ZQ6*yfXBU-OT1HQN;yt)8Y_k#itX-h^DvP4HO-M_5=K$Z%&xp%gV)wWBZyEbJo7O`T!%YMa^>M&U5Ff+Ji+jo&(@tG&Dy!U5} zi;3mpM$L~)-&3Ka$yDv6M8mrh-BMAk_h9trcZd__ihLEif2aInjQs$_d>f-6*2K#; z3XbZO@1msl=gT&xYM;hE{~Tstv3`QvV(}2$==RCUYxhXj^P0>8|eAy~74D=MG?Tv%8vd4pfZW4IQEuyY~@ld%i zJFzlh*~F7+ye=hY|HobJvQ2l{odoTPrKdYDOR&p5j{9K;F9q0}g`;eE4R?nexSOr} zb-Xy)4tfOptw({!yDizA1Qx_?kB{IO_?p6`EbMh%Qom1y1=?vQnUc||!PeAe(ok3*yszfY zkWVrc;c`Q_+}DX=MB|ZxFEvBPrF#91<*g*hN_u>;l~=h_$BA49s+--1|aCj8r5u!=w}t0D{wJXU!j! zcPA`!&@?RTVw}03Gx**tMvnT%>m2{=UDnM;X1~(eeT3sPcFL}-qxv>xqWG0q33@}S z+fN*b`@N+x7v2kkwUk6^fsrkF8(*RR$G;*CTK03Zg+h3(kGbAlFC-N>^rMJCf1z5m zH9Ii*K}ObkJVO1%_IuH|&FJ0cpG{ZFyhz5ifS^q^B z*gY%tZ-|ba_}Kex)!PU$=}OSO-nuHOEFVk0xPL~eEU8@Hr>+S+=T;1=fO=(5NwK=b zo$-I%YeoK=+aSmPq>ksBl`yWaoD<>CBzDHDXYqF%K38XZrAZX-Pdl4OCJ~@V`zQnr$y`1(IF z!8$Q|6dUk>p<#hzjzh_H|9g^f#45Yxk{;&Nj|s%?(w8%IBs^VMQFkix$I3a+EsGcq}&xi_CVHm|not8swE9lYKp!(cRh7^w-X*reE> zygYquf#^{wP0m?~Segs07x#MeoMj+)ycSR4N?cJ)rA$rC1qK$9?t!9P<;h=D8}Zk6 zM7+%;sIya17AtGz7)8FD#~p670$g7=A)cXKz+9-6B)v*cTWN%NBgwrCaT%4-XtW)ik< z7-g=t&G~lg3wqRH4+7L|7BaD+ytSI>>dE@sd^;6K2Vnm4n8ay$pUJy{_cf*M9A&<& zGL;un+p;p9wyMcnamlo4711?3j&F(bh=61au4ADh=_27GN;$tGpj|!*B04!Y^2FNu zsO3;{k(P9tIHdAY`D%g%N&R|LuUnc!SM6R#-OUmt!XviQ@PiYAw>x#&OAS)i-NdgP z>%H7lU^JCdxSDDNsX+4(a7W7#>WB@0mL5yWffe-EdhkZ0nFX2}^NDdS7hR1de))r? ztG5hUx0a|Au@o={uk}kP9@JL1Y!BASSbE!&-hTt(mQW5$_H0&!+b494_dc~Sd^@z= zA}U9t%ctu7!hhb1ZZm4y)?d}c(EMOEGk9^v)eM8VG6GE~vHg~^Gw zN%*7NoyQdd&DbkrPv?%Q3zPaFoW_zTFAojg8QELvELb*) z%o^UKd#3eI@k+N&cbI4TE!g0%-VlXeb_xf@5A!{rd}5MR_Ie{T8=G4qIa468=Oyt- zoOLbz7Grg&nO~qP4G5H{mU{GS`CQj#-n6$g^2I^GR0yl_rP$6@&-d}!)z|miw&N00 z1RIySI4$!XKmns?(}odA0^QYHK)H#nBj)rRFIgw?mt9{@>QjI72&@P4n;%~ph6Yck znoLdZ_8jq|dB8FuCl>wOKQ@|kHLHZocP4d-UCK8sFhZ|-l?{f_@dwXy_U&r8O68$XHYzR@=%7_uKLIgK>_OUZc6$h6@g!8kD2Ve3c3c^ksRflQ3q) z?}gOn-}%{r{ki$73GRPCU(Pi*1;xEm-VmWq7m1_Y|2E}n&103U*y-^#RWRPz%GB?^ zck)M1szAdx&Lvgm5wx@qoF(O+-xeRfk4>x2OO3X}4?O44Yc7M?6PJ>YCT^!%eV14) z_N|6`rHZDrks3Mf%0{~F+$F@?iqa{qd#SZf8hKHu<-#eZ#gYhaDHLyYKic!mJ!9v7 z9(6h%w9Dof(H*V%t>eiOv7e2;v*6N4D`K8db=PU0y+6RVJ5j)?eDT|ZxaiyM!aql( z0NRO4#;Y;2T$z5=zWzv^BTb*B-ds zGr!yFl9z2qAPJ(_BVlXv9Rv_XZP77at@fwGB2OG!PO<0`ZKDx;tP2?YE2=2SVdS?h?gw9{Z#ROYwgOzseXM$2+zVo6VrCy%j*n4!0X+st)+lF9 zn7Iq8evG?qN|1;e0~A&jMHE$?9K$?|1F_s8K0177c@gVlh6{lRj1M?|NOkbeJmLVk zI(L3yIW4FzOp6i~^4|8z^(sT@SQm_l(_qVdj8xnkrjOBj*Mqk#R&6+`VF5g%Trp=Z zZo%}@cDJ^^l-Qb~WN#W(DwZeEnj)|b4MM_pTAYM!a+DQzYe}mTvys`b32e&MdZge) zDKlSw?xl*r9yhnu9fx;(tD2^HnmE}ZNbs>3-fy4^gTv}TgCTcmP<+|ATgRr51`yNK zxMx!?2=6s|(^_EL%;qW}bp4Ot{3@3_Vluu&?$zAV?eb?5tfRifHMTlqF^RF@T5Gq2 zomBIMkCmFhTHOn&}HS}q&B?uwpr~!o4i%5=&^M#t4Cm_e__JTq&MzM?rsofE7xZ3nhGo?UNm3i z8?E{c*TpiWiKnsdT$xm@&`}uia41IX-A-Ix(jT%hKie_m(Jy?3OJd0zw{?Q1aTu9e zwY(W75$VaXb<;cDgMXRvi;3q(epM|gRlypw89{Pw7;pXZ>iKR-s5P&THeYZ>V|h4v zTKiqDV|C6)TD9c&%B^q5x%u{Y9}aeCy+Cb&Q>`31BsA@TT67y-V);)8P1Ty z;AQuZSIJrVMv5#>DOKJyE~p{)I?%SyE0EnK#3K(%#OUq1XYHS=re<9e3VLtUY-=6# z9ha3J7t-g9@zHKOp9`&yTO6r^Uz2w-;ODrXVc+P*HM(iN_;W(7=}|oNQ25~hcTyz5 zzyxRR-b@)hik9|mqx!a>mhTp_Zq`=45x5<z3qD!e&ZiLE9#y=rwroxfzonhrr`4?>^{*`iYxYxj{MdjTIHG6Z6E5v$ z;`&blb19E5uOf6wNbDtCSEo+20n)23q8Je;tF>~2zal#%oa1F^bXqmNeN(B1QjTQT zL@_02-pM^9nyu~t-TOF}NK`nSo=j<72br1U9jn5}S7ulm__C2qSM5`o8TzZYTa=f3(8z zgI&CQYKOcUajiL*yH#<_fuBV>2)Cxfa7)f>MNK;RX!kLvFK_>E{=b+~V$#_CQkQ!Z zifw!2D`ZI*+aOwWhXe5R+S5p*ajIwS?iZ?{CQSAh0^ zlVaN6<^QS#`+pKMTURcUDDMzJCyP7nm$}Dom%-JJ9vw2bKl&#X<@G(sK&6VP%K*2F zP#pQ7qaf#e007L-$uY#=YDK&vu)W)bW==i5%Mnp#uU-`a&$g&@ed3IY_Fk5bTCyU< z;FU_q;OhF8R*9G&8J-f80nopVI0<4OkcT!$0MmWED|f1Bb|+jaIgsNm1HRCcQo z&MilC`dV;H{eUIBpAASgvn)>b7K}m18<&q>dj;NH16O1x?re~A9_h-5u+m#2{0bW1 zv6)apQ*by7svIp%Ut~7zleMJSYhp*4a`it%FCm#_)t_lbVQoKeWrJ_5e^E;vN&U+|lA6FtXZ_I-(yGL;FgJLqDw>6LioLD%A!Uo?MN{|8Ev`VW+(_2SY! z$^RzBBk(Jnp*OMo z?Eia1(DUSkIPD)-FP;gV{LkzEnZf^;^1Q;6#?C2gjqr_B+|j^`cGQ($DnVboe*eD! DUFA~h literal 14102 zcmc(`X*^q7^fw+{)zZ=lEk%dhDvAzTHAQvOQq(-vaI0FOi7_H1p70g38aFzxVoC@atzg;+>Rp9_D;me|`FrW+r?>LgmH*XykCF*qu`yjaM?S zr+#cd+Guv+wuFk$+AF@eUZTb1^}Duh*WELBj_x@jt2Z3-CcNHwguJt0tUZt}G!mM! zDjnqnzni)%4e2%^izbhp7fKz=N(cE=QBhZ9xfSlUE#_J2?)&=NCsSrIa-!nZPBGy2 z<>P;Cx2XB~-f;<0dE)B-uQz{~`HZ|1Y?8@?DB?Iayoj~Q?`>x@gcB1?K5T1jdd&vO z*uq$Dk-lZ8-xP`Cy)V5lHhPtgDWyNdQENA)mHAwYKkho>PVk2 z2p#oedkQ?X*VovaD;SKF=z1p3HoUjw%S2$_E!rlRu8nM(SNedL?AkNEmsV9MUi z+Kg_CZbB!h001#>hU~;P9|jY*gqKX~ofS*8HW$ui=gErR^HZ&GPE-I+d}eB|&mW&0 zoOa*rPGRPB13xWRn@6wE+Wqv4Almbs0ys=H`p0x2v<0Mem@#Y$)XClII6W|g!~&}ZBuuq{+Ziv`7Q#B~~P{VHfibL#HOkx=U6gzvmm+x#g%a5Ua&0&A97| zO5FL7LgUrXHTQ(yS2U9so)Y1W^{=w&(R~dGYF-GxsQY7ns-4-4FF@jIvfR6Sf9AxG zTdh4wj>}oywQYUPD6N4Tj~Gids^psO?wD-;>+bV^6^r+{1);erlC^JHPdtQ|cUno?kc39_;SO-BEm^ zP8J^z41Z$VGoSB5?v1y|3eRmfU+B#RAZHg1&RwRS7pe%q4?-#m!;j@d+t{rDlVT>E z`nOm4X)qr$GB$J{s{jq~Keu*imbN#8@g}~nCMtzNrm~@J!UJ4Fg}Z{N%}&*JVgz@R z{jr{e`(>YJUzjz;3NZj2nRCDSqwkj}>#QAF(j8L?`2L0?5(W6}jc(Z3(REnk zkCLWL%a-5`Px?Z4D*~pU8+K(ahZFBG2J@utrA#d(Dn8~V^xSto(yhid<24BiqnpVc zqMnv^(rhM9wG*4LzP;eDBR&-HPBeEFO1@)_x8S<=A$+>YEdU z0^AI&f}9Ieln2{4dJk;{u_jot3&V!A)n^&K`e#MXtLlb(Y>Lj8LNI>a*d@~K+zta- zg7{6Tm++o4qF_g|^bujMum#2IdeZPC0+@W%r~0pVYi!iRQTqIFiqwy#hZ$Z->xw`|B4sIM@dX%vZZE8acXhi zlB2TM*G%hqQG4iT60{k-*NMUF?T0?LUAe?Ap!_Wt?vr0O^Buoy>3x4qOnM~ug2bCx zUq*G`LBW>(3eg#`IF7F|ZTwlUUGxl7`>OAw!FVXC-;4z51U08qv%=5srVNAC*A#Dm!r}_N}ayUpu9lIdGoqZItx8 zu-OIK>Jv2Ln=AbwTgO<>W7L`>BWBu6TYfm~%4~H7!~UvSI2V+p{pX@U_vT=-6}z!h zw_^jY5x5F#?Eju&n#K<> zoS}NV|EY?I{BdzL6ivM#x&m;?F#|qGXzh)wGyQ;M$j3-pZOf zaOs7W71!wlGQV-FMGnRbo)o17_v zLwV$-!KPJqvA;0#YI*!KY6*;&D>85!{ zY-v~VOIK2_B5}R7S5>|PHbdkbGqtgxaPn`VGdO4Iq-(t^L#Jm7V|RhE^UodgIqVel z#dwB-rP*9#>W7E*yHBks}ryD+;b!`K^3x>O)Ub#QjNmjI=6^A-ACU&Xk zoaNow($!RZ_`<8rUlibOi6K8+^_2V|n+lW!W|bTtc=2&V)opLguhsoRin4be4$v#x9=!ahj3TVJZ)=efJZ(p8XPH9?F^OPZPz`hg-cI!)A5O!NbjnP8_@PE&WoI%9@o*5$Gk(C^)TNu3m3s{?bkjKGc`^9e?MMz^o32tD`K)C4KD`E<&HKqbPX&^sUbeOcuhmAHz8$f0kEdY1`d4Eqs#baj~=o(730=4u&C*w0Qmy>}sKVXEig`i9W1)^=%`O5Wri*M|gRBE{D^rS?gRcUmU zvS3Q-!p~*}D7hbXG?-UcJzF(nhc457hjJDxoMElG_1L@R1zw9Zs@Vv@Hie(>L^H?3 zi$?2I-0Egu;8?k*JO=!QOC6UWakDRka-)3=o^JhktVBaVDx}c=U9f>g;Vj5M5!9hv zzC-N--%EHJsf91u``gYXoOyoIq6TE(nat?aN~%jRx6zf~u%ZlWK9Jf0rd`$@gH({s z?C4JIi66dH>^thz02ZJI7q6fD!^|42Y;nlJYBc*xZ`d9Cq#;@9esbsSf4qoHt3Wq0 zzOn31Is2kbxy*nj;+JoR6$<82OuT4AZTRS5K9A=c4LC}mD$^14!->HO z?8?@a(@k!9jHOl91+TqDNlULdW}tz!GmuC2k8Km6c7E@YmtwcVJxPdJ|3g7&i zI=F|_{j&N>mM^vH@;APzZT@LkNG9C@MY`WJ_$zMLAMW_)fcIF5t5Q#;zrq@)R8mwv zc4xWOA&!Ew!ar$h;O@;I?OFRNb$u-U^h;qkqIuovEs#<-XU+wU8vfDqU?s;p(ZcIv zdW_|h zJIsv|`R^rn^Z7318O7+Lm^S%}B(-iSI!sv{bnw z?~#>!^f!A?R<$#cKfqdr(Hl+|3k&!Iis6Lyv)cCLzDP>VnczRH6@Pr{%|LT-lUs5+ zVbaZM zopt|^5Zj$bM?L&XTjXLDh<@&U%ZNUP7r!s#6dn4C!7WWSy>=-RV9NF>)ta~jyj@cm zcDGIXdrMda;5H?$Mc5kFye@4^@zJX1f4KzJ2>u5<)5>Nx_s7QpDPpA(6tVch!fr$i z4*X2k0_nwk&Rw2J-=}S^?tJEqV>>>+Up;HEB1I1pRsJ_}rhI0A(_lH~4UO0;2FZYL zyPKWSx$E)%i+IvVWIBd~NeWguQ2Qop83~KNJ3OqTI&d}1>j&O@t-+FF_sqgpzEn#| zY6n?KwW}g~ak8g24R!*wNZC1lbGLJi&RSz~!x3dGCM>2%FO@)5&kXreg#2AIFPkp$ z^U&osCpxAXdz0C7j@dk*C@p)7r1bB)bqcq8kC9=tC2SWILfUbW&1fXdxhu}-q2mO0 z5_v3Fw7TarvUvr~H*L_F=Dc(-k=45a=}ck{tdbTuqe;UTZW}^!pCa)1?+U<&mQ~go zo!k@dwpNC6R(fDSNz(0j zeu0gL!+!jpG(T6u9Bn6?iZFtX%w_&m)9J>Ql@O9WS}hbakoP~-xjZTyzJCZtXI9Hi zU7C;L?H%oknn~=~F&ZCM*m+1vQEKZoSh1GyGC^q(d&=e-9qd1xbVF8d-pR)KXX%{7 zdS~dyaN_J91(FyztFE%vM6K6pFIBUqkrUMNJN<5%iefN9M={wj54l+HI9O3=wcXy* zvk1j2jE>JwufM{5LrN8uC1T*|H)9ZJn8~G(F?IOfJ}A#4Rzp`bTSsV{{Lr@?&(PJ! zj4EdN?7n*BR))^_@;f%aV*gqpb?N;wuhJ3h!gj=Ip0hh3#aKGFGL+wYGuYC&xUp&R zele$yQGvRTYk04;e60>V65ot_)Zh@FMUux08s5qL20B*-!>zP^Ag;^WQ2O8iAOHB7 zR#BbB$-3jv1vEQWzfNZ$R)Bc72`R~+%M$hQA}q&n%z)-+W*lgxnCuT-J;d7V4X)%? zUh1TSOAkWNuo?%}Ocd}0I!+EnhnVQ7)yVOIq{+_@)Ae)<_j&JBIJ};CZfCH5W<*98 z!u(|Tf!pzhZ7={Qv`W-r1)*lp6t{G4=#Pp{!$A}9pwH;ibx#;+8S){xTA}+x(z(9R z4GM#tV^-Yb?1z+ETZ-UZ_`sQ^>ep^WodW0xX!Dr9UXo#RGLqNdH|xHDGILs3g+6ZY zGn;w#Smk*`^do1&jWTgdR(Q0h{C+~NvfxEYehAuk%?nJE#VyVSI-Xj*#v*K#9zyhv zOI!l}ObZpmq+FA${J>nW*CuKId$Ov?89qx}s6ARJ0uU~ARL(~B>Q_CQNc#}d?0d_( z8uP{G#Fdmv(oJiUMb-`|@3~&@@wgH_Ml<%oW3%URp{92amsIwmdX1Nk{HeZpE@(w1 z>0_WrD)-vw$_v7gYtp0=0glDR@cYT9p(z>zqf3<_N~p3&>f}2Yov!^SX6`qBdJ{G% zvhfrOJ(!+|m6q1Wp{mYE&_eC?H31}LfCJpO<>enxZ%5u64iuC^emB1VfMO@KZ zrT?ZCU#u*vGgi3*Il0_E%l7k>B)C1wSXlpI4*WbgpDuT<7|Oen94PZs>q_^OT7^58 zIlcA>)$USqCG_mH%+cIC7SwWh+&@de0L|wn7OCzpJZu?q9wp6*^5t6dl_GSl-5gS+ zGh*G*0hES&L3nv8YnhkN79gl_+W@O&_}o6{d%s#4`?J2kbcg5Q?xo#?FA*|Nb|RI; zvcg2}Lg1FLLD5FHI`GIdhMDuq>(CiIz(@M3v7zlkE&zDyq7AU|z1mOf3100+SEMMy zF%;;H31}($AMU=f9mV?erEKFX7-4fcBuW#5Kne%Z{efJ~rsb?KtPo%!q1@csU z;>Xsr@Qul56WsHdR8_hAZ<8T2!ZP0y#0xUVQv4Z&R_TFX1-D)Lcy*}C$DD-#8U)0< zY)(fk+~!=a3q>nxTugl8;qGj81omaw?iIqd2+aPhVx=4U!%NoAJrFb!j7wdwb{nG- z=rt8q@M`&mQM~@buj)sO?w&^M$@)$dt00a{_-52Lal&J-kqbA(;+xle#H;uaLb;xH zv+$IAakU<*Htp$|Wx=Tt=`0&cNKMkPp4t>IqElnHd#2oBCZZ=9!#wipT2I>L%gHT? z?u$OSSA7I7BNBCGD(;+UkpZ*(|Z(R@DmacbXdIV>~3jGQ^O zRB6vt(JHFJfHL&dk~LoS*;`(toP8Jk1&#vcMKCT$+b^9-_vo5#=zpK5-i;fM+JB$G zE5HVLI9S>&m?-fC`z+|XP1JnLoW51aQynyeyPg>s^~gL!F?f~?ez}K_NLRXlsJM4e z4019fbx&T;qv6Kw*;@r7M(**AY}=)Doznu(@5AMiOXczp>sEV?oeT8$kTF3Pf)DBOO7MkvX}A-vh&ZA8F!}`Q$BDV@JUk^ zosY|2bkf zWUtWy5kbUTY+zL`uTLch`ZaY&jdA;!#b_W;C^}k;<{oFG_ScMyn2T2}xv;T!i(eS3 zt0#B<5wQbpliBo*Q)a;b{pa7KYX9-oC$7CF*6#c7fxTv%gEzKW>$7%$@!Su5dmtP0 zv?ua+73tE+_cUCf4e3be&*qTbE=VG;Gq5kk252y6QZ&H>lmjJsA@e20pK*0N#W%$6 z25nWNg^%s`mrCaV)G|#a*OVlpesmdg?21Eij8}FS?Ru&PT zkKZ1{#j;278Ma|DPfq+$(-q&4%!WRx?o#9h(ZIOTI%!v_#~NH6b&=LQjEj3tI;+B`-z<;E$%UhKdMW<3+dbjP ze}wMK%lx@QbyMkOcGKF}m^S}PfgBL4F9a{9L*MCJXG#O0)*c>ePIi5NLG@E zjcC;xbmKh%`n7m{dZvbo;7~GdR+c1shSHI1OHW+^0XoDPHHz2Bl1szNhGG#pkmt)^ zUQ>N{hu=jveFtgUYF{pt%X{m&`A*PBP9DvxM3H6s_R-K*vtrrPWnM!6;o1P|aEI3x zpIV$jST1V){;|>-HzJx$J*$~6R4n)|86~oUhx5wRev+qLKcHD68JN-~WSd&TfXfd2 zA!RgLHDZ|>(9#6Tirp%sZ^SP1O{2Z{|Dms|t6Rq+0c7r!+SX;{HXq_87^V(ZaI*p` zZ!3Bsf+Jb(^ekDU-=8G<3Xg7`)P>(}5G>+rX7pJgsa#--QZaGE0!IxK^wBb>jSh6JINFKa@0i5{vK;N-vM?UvJ0Yir* znbLzZ;NpeA75vhoNvp3vP;xoCf%|+J4dLI2M1%zYY5u_Kl1WC$Mv1%Zg|_nM%uO30 z6OVGCgC7Eg!6X%Z(7;xQGvTdj@8=_htT{Q-G^b5O8F|2qh4%i6qw zHHh3lo-o@qhk4eQxK(Mq35-d!XEiMhRh{rat_(0=UFdQV+!3h0Zy{56r1Kjw)VSzR8&qB00VHBXn(*C%A*s~>6! zAXNaj2)MTTs~c6fezt-?S|&%h{9|hsM?_wUL1VfZp!GZXdqj4<`?>1d0h6zg*UVd=P5n^{2a((jWiuO}~^{v%j5lHgUs?rG{zR_#J(Y zckkQ%OB$WUQh@`CYRw4YFSPL2FsFY{aiSY%;G+2`v~OA9zasU}EQWa9D6d*q$SOoL zYrY>Tq+h{ELUC~=i*-U2hEmVaR zE?A93yR5XhPiH?q{8R=Ilh{ixSrmD2`*{daxH@^Q+Muaw(4u0qzkBW_Ai90IgPCYJ zlWMQP|C&I9;KB0Mvd!Ygfr9FGCvP#mbfJL0wRzh)S4YUacxtl(H)hE5P?X}itShN* z>p%qC%`tPnjwh8gs}m4}O1eZ(GM~a?BpEGcZp?veRb?*}R~js7*9As=Qd9-|F zc{^t*Q2-zwoc0pVDuxX|ujGmiU2dvyYC&enX7fZqgposxOR!Wi1LRMYjhqgs+|2AK zygxE}OSo2T-g8(?)X;^^kjWS77!kOYTwbWeFDm_Bl^CiwZJKC-Uh_pQs*s9FdHjW8 zcYn)GA<^Le`8%@-m5ng){B3h%b(5fW%b^p^v5jj@?A*qhjuw2w_?&rQEtG|VFuHQ3 z{#ut_gvV*~y$`AY4jq!5uVOcPBA|<)XZnzTJ)fo#kFs>TjPg9>&b*F|SZOj{9rB@8 zTo;ShsE;PQkG-uV@aLgurrD?n05eDb_59Cxmv;;g4a~OT*X{rXg^DU}BYQn|e{}Co zgqc>Y{(9yay8QQ?)F&5d4smk@TdXFWGiQo$X#K+quur140gq)yei}rw2kzShCA;?C zc+~#z@G0)|6CH8`+Se#SxqwT_f(frMif-SO2%9-i-H=X^*%d&l%x6N#+NM6J3@?jZ zdNO0kYLM!ic|<(t5iLB-YQsCjazp@3TK;+>8o$U>TA`}flgfAg$#|Up&v~frryu{E z6Wg59+qJhJy*bY|`MkJL^R-vyD#N#wkTpAQWr-6t`w@H5h3Rb%n|$K0N&7TJC!~?I%caHK#BUjjr~6z>*Q!I0WP=lo-kK$ESzpVdNF&U_a6FW``zNMO;DZ!Vnk7U zJLP@z-|dG0hxYxyy?JLu7Q9g1}5RvpeGZLh$~YeVJiTJOuZMAg^y%oINeUZJ+;29Y)0OUjHnuc4PH_`Amwg6;)wwmGxxl+m zO+&b$5?r}?!EJ|`+kp17jBXNWt?gwvn|f2YXoSk}jATwnBTZ4dWBVNLs^IKdof(Yf zNY!Gk_;mefPovd~M4i5=Ren+$VQOVAngP9&G0VMiC2!1*z~B|JTURpr+!{Pol@)T( z{9XbVXdgM5i;GaV-eRrygwMbjS*w;BM1S~Ob|9l78QbU4Vr*(`bB~Z5*FS-1Zd-5U z0!2?5%=%DBHQh^fNTuYZ;mss6H3Yi5HrK}xa&eTAu-TQ&#e^O=HMJz$D@__(INx&u z8x_>~{9>5@RM)mK^@JIB7e-k7o3_?yBFEB=tQUYnGUqp0zkt&{K+{9b;Be84t!Rb-p|RkL5rVSqki0swaMM<|L--1x~bLC6Y5^ z;N4$mSRwmY*cql%Es(m}FOKNMf;GU{!I>~tbcHi3bTa@|L1sASjos5Ardn%%BO7sk zoRHgTmnK_e2}ffX#e>i>IHO|W0OLtI+qcek6XZ2tTxN$F;C!edt{`WMlAG*QTQ~j~ zcSK?BdHXWx;XrSnutug!=opD_312`K`n(T&G7$EPx{6BsvTBCN= zZ)&5JFVsGFA6$hn2hw!6FM0+0y`SqsGNUqzojUWy5mI(VT4ip&?skUHk+FL6n;Ke= z!_LkdRW?r5xD^#LOZR$+&BKs`>6>;Z`@-$Qe&y+KGdN`RSed^W@w)dpSM4c|R}AKC zkI|NqR`V{sYL(2~2CdBDgCs zCsk}FizRBA%sjy`T9PRd3De@)ep(Wr?@Yd9Sm3D z9dX#a0eRj3Wq!S)!t-(Ig`c#t?p$@SZvZGd@|`s<*@U$3+J%n*FQac_P8vJ49qUdO z#noF*pg(`Txy1_X#?qlNMNcivS;4Izi5Jo7l=MwP+AZn=^L(@hv1T(Ofn4!7IR4>? zS1mh$$4BMSYlRcWD=)BDZ<%Jzel0AyYe|W1VcPMb98!!I8KRYw(}e-M`;K`n4Tb#U zT9%)+T1BAgHFas zcD!2uccUYOnBQ;5jEVf9){Y9h z0AH&pA9-HirQ^%GxyC3}c2vx*OamX3`;PfaB(H_mT9BOog$OxocnmQ>%xO3eBaR`9 z(hyLssErqt;Z%Z`=Fp=(yUPRKW0(*Prx@%^N$quz-2|;TXubhl_FeHd;aUnt^0RJ1 zLy+Y&cHT5S)L9O*0*^{6)%rT@t)zcPmRs@iU6350= zm=*MIwsV6Ly)-GiZ*8N=e^^(IT- zL-Y$UJo}SGM4686#;|nfp(AMoHc02Y9eF~0kpb##6Bgq zF|z=x1uL{aS}8MP7lZ9a!cKH$*pStJhbihhdM?3tj;{2r<*?rf9;CaKUnFJ}GnWKQ zPcFiq-2TN$_4Eph@KjMW3?I=Z!(A-gvw#v)Y(tYbY;TZqnl2&W5Sksd_nt+dLkAWS z&DtohMF}=u%oGh4&a8J8b~&o(5@?JX&1AgO4=X`Ys#mQ@tvY!fy7ZH;I2(8K@KG^n zVnG@T#R>H!y;%b(4l4pz{YenYInQA_#(O-%MtUI^b<>J*ow@Ndqqtl6 zDwDAiS^HQ8?G|2fu7q6md(qVG=17|kT!jJk`3JE+Fj{CK*EHBMk1;H~?f%Pc7!7am z*wll<-9Y&8g<;%bQxT2xi%ODrzE{QmUES@umMB`Y0jF<5x&CZ5iDHeK#WObwiHIeGQnY;VX79+udYyh6m0;ROpp zW357WT3uxr>da*0@2D{`4A+iS({XmlMD-B}MX`2Fcy zUy_PZI>FN;tySs~KPZ56oS#%tnmDca5C>zA)jaCX`@$H1m4kAbB$e`ACz`dqgdpgPzjVdC%|H3ac8raNq!(hYnt{O zR8*KDA9AA)*7e4vul(E8){#s70aTLzKE;+@@m26CmOe!&Jp%Z2$p5=nImN_ zHRG&&7WZZ++&*Y*&2jw;{ESaoD0#t{F3qC;p}Zt!`Bg~8%;Yz!B#VZ-OBcTuR31kO za_D#b__V+`Kk27R2d@a%6Cbn@hD6*V&V z5|#=L^vs}kM3P+cW_=Cip01~_9aD0MVLQ3gul8mBoS!T>mJ`NlP4OfKxH09wxurKm z_%*l%s(fPQ+iO)e^sM7iUlIbHnbAmRuD<~u#?Jd$mSSwWt7&(U6{tI7-xs{~NS<2& zk^P{)^_S%Rl7tuO?-8QB)LTuf;hQsWGA1^9lGEw^R8Q7R9u~dP^^#-73g0{}N8>MP zm<&T^lDWs|5XO7VK*L`KfBM7y4YImdHbxOm5C`sOW19>^Q{AbCzKvj{ zrXV$Z=KYj1GF{hs^r+*YA$U=tWWj#Tk1exMhWR{3t61nu=G=nk(;bubTJXVwU>B|Nn5CZ)FAO%>lWxQngF`~Y#UOfO-t zFSeD}=-w}Tse5U;@T(Os%~`=hU9xNQrCAF$=^Dco9Id5R>opZj)n^9?3a$Rr6v#;3 z1Y385M5rS%Bn7H2I=NAXQlmenBY*l5m4gtK;R{y{$km2LA-9-82{@&;`zDooUyN;C zr*|aVnXp4n2fp?%;|kjLzKIR)RFjAhtpP58d0?h?kPbi`%F|XfQmd0p?~NJKPlqZ7 zlI2pEapeb(;9h8F5n?-`9+lSDbI)q}H5iXfri^*)X)r$OW|@%wegz+2T@lkC`KTT1 zW;pqx5?U5yH&H6?bAt6;&;~o@a0|rai-Ngv9cVW~icG3yXQpv5%tmI)TCK3xk+2ER zOA(R2E9vb0gNs-7bMeTI1Ppty;}|YnQ0$~%I%4ZuXs8uf{&7ItgSFuXAE+_O!YtTE zj-EVc#WjL-pONcpTN&)&SJGlymF~o-;qTT*y>$OHI`DxdQNQSn#;Cu;o`wDqgu7?$ zF!n^Zmf5dWu*)1ygA53h3lzKe;=YA)Y5}8TDBQo7+PS6-CtKLW53T{E5brqcFy1x% zl5KR>s^Tjo{?8_5i;Du;cE7)fW=Y)%lmDIXAo&^t zYT}PN3sB7;v_Jh2xw4GqCcyT9)U>k7Snp_VjdlmQu57`0%W~?ik!Px>hSX>c3HW}(?;vm#2P2o z`0BN&YYg=nXm+BzceVX7%vJxiHsOps2cQ6!?>L;+Bpt*xlaHx#>xXA3-;qHfj_q3w zrANgIe(@yzkvH#&_AnH0K-ZK3+>0NdJvM2aa#AFZ~xgj-VF;^h*zq5pe3ETOkn6Vx5;{qnzcQ<*um?lX2`u@%J;jy8HeW+st$6Ix- zaLdp!>ncJ`- z9D=IrP?H!M{F)kCm3%D&legKbEL+ShF5RYHULpL2^{=^Ld-`?~>thy808zp(~F?ki<2s;2h!#K%TRu?WwX z;yP-jo(N_W8YVurdXnwWVj=n-eIpmy{An4H_^ZmTm)E5a$$OVN4w=1oOZRb3b=8Qm zqKvx`1KvTz(9n8oB;CWcf6vL)1>Mdv@DhK-s|lPf-yfi|1bITh%A^9}1#HnW&A^{h zULWURftFcyg#XmzPZRCDidnqLEzrVQ2>!V%iRK>q+&48*Mz3#3z8o{iUNWb|(yHL=dypWD zQwjP{2c2~uqLDf6RpX@N;MVmgxY#fg7bOA7hc&tFUx^_*TnIOEVPAS{#^v7OyY`NV ztk}D-Zu(kXcBl3#rrGnG!}hK!d{?C)K27c9-W<>e&*~{XZ z3Q$zgnAq8l!`{4fDC#jyl;Z@h>TZ8s_J8W@38{TsQqBLy7WRU6^F(h3+`eIbz4EGe G?EeBWzMVb* diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png index e86ad1454deefca58b80b4c04d171bff693672e6..c2092639aff433aa2ecb5d9318ba7b030d82597d 100644 GIT binary patch literal 27865 zcmc$`cTiN#*Di|k3JM4Yf~bHXIg3gTijrT_ki!rZ1SClqauP%(D==gjavB(N&KZUz zAUR1G1{m^?W=Lm`zwgxjZq@zc)~R#q>?+Eh-o1PGUcGwtTFemPyZPC!MzOHQ2kkOWp$bU{Z+R}HC9M( z(aqoAFE@9{=wxGO%vYMJV0<2(Qs}jbO3_l6QrFp5)Vn&le+w8aaLM;P&v*V?3UCUP zz4^B!2-3KD?Qcn*jEwnjp;hrU^FMz}54bpik0xACZv@}@TQJK`zjOU>DV&;G_HQBJ z=l|BuoM-M-`2HCbP}Xb2Z}sh-MM)*{pRQk3I44d-^k0sWbpdB4LyI? zgR>6*BaM3e)nx;lV&i4Ll<8SZlUX!X8hKu3xhDOss-EPl*{qIxgl{J48z9RNuiTtU zazWIc#8NtKrDun#DTkwnI{ab$m!}t%v0@<%R{9iY{#yefLJ7Go<6mdF`+?D?Y%dn_ z1jhst3sUVHz|Z^@$udYzkFTbNVixGV7F6VKhXUQVZYE4yY71b$i+AOyz3QAOEc{en z+3J&Wv1OG>!GEnvhsOy&pM&-7*zT$Jhd&P&y6Jm|2F`4d`tlP?NmM>X?#9`xVQ!;- zU=qz<4%jgdKt+sHmitYRO00ShA<`x>Jc(iQHYzsbHR3$Ue*)v;pE;z3y|%AHG))<1 zIT|!&jdGxzdaiIX6VF#lg_6?rK-VWnF7!P|&fZNA`vU{?2u-AsZE8fZd<^EVxrFk5 z)xEcEm}FXEN1h?B=cG2u{)1C!_>Wquk**pT}50jeEshMMQ@Y^S`Q7gli^^LJHvnsg2)joFn&#bA}=u42A`njo$ z7;b*`L&0A3JVNamRT5L&Fvpm3s;(bf7*aKBMVxjFWc*Mp%0+-Ce%X#221@&a&34uK z0Jbc7gW@&FdRO8Rn`hlt3OA}uDxiqn6{Z~+{g~&@=;w0}Hk&wlv1fXbuCIoK(^h^* z6;}Tdj&+xZrnRr?N`v8*T5av-bQR<3zKl?^z+7)tMC;fb8>&T4G8GrWs5Atlg!AMFTLi6_lA~ zre^kEo4c{m1Ke5+0#z}U0cf4el%FZ?jV{A(U?}Z&D0-f@VXbBGBKrO;Z1FB2!qSIc z6?by?qNA{+5LIaK-s%m@NWI*wNck)f{%;`?VlWJ!LL7L` z;~7v5xE85$-$wgOt2)!PnR3*|nF$#?EntNL#-GK@CNy|R9aps!nGkvVcrEasCnHwbm#`c;7uavi&;n+$f zkm_}=(v`ko-W5a~Q;t=Rm|Lb+u4LEeFAvz`6p-SJn&v;eGy3HqccCzDYIoO$`)qQ> zZ*{;ui^y--N3*J~-r%N+kuiL+oq9EI*%o+#Wml)U}6m zh^dn00s8LR(+dc^zYF(9msL_cHR?Ei4J3D{k16K#dxle}DFY zaavVcW^anrM0!I5xqY%qxidygjC^n72Tne8&K%u3W`+m-?Eh$dO+*!%IQ4A8e>g) zA^m-#Mf-u7Qd?*Oy5tsA)1hp?`_E>lNZtFPS+|4Nu(PO(H_vWoi6(E>@qjI@-!z&W zP;Prd%f<2-t-oV$y>Cdi`qZsGFHpv-Y)M5h*BNx==9S&nOCcUZDO-m4!+ftDHF2I1 zDGdknNUa`>F<-+yy?HGK9@v}lw*^5D`W=6|d|ZP{v53)p6R&h){7HA-H;+1?p+GPF z7E9nTviaRMD3Mant|yoYvNVwTHpXMq?d)Vix3R|Fj~omAGZZr56o9fhne&(CO0jS# zH!Eyj9XkE3oW)T>&5dG37$=Qc&Dy+a{^(@5+#1rS=VISZTPjR;P@bm8RU09%9?7W( z%|WPMHp~gsPr!?gbG8Ue>-=yzhFT)C?D_pDg)V`5%A=*PbSo-t$>^ir<6Y3DvwI83=wRX+NH!BhN9W01_T3E@ z!?RUppI^)?yFU;D*&bJYztBV!8#Ty+6@uxpSEuGxn~RNarhMr256>FB$ox!dkZoyi zQXNQ`3(K|YJGpj@8JY@QyB0m3U!3^+8dslAjp!6?uQ#vm`#C|*?xZ!Ycl2SG4?Jz{ zLtK33ZuQgTNUzNvvNcH5Ih9oA+f9qpp*wTPx~eO$jP9GPwY-hx8d@wQzfZS2a-^FC z%D^tjFU)zNgI{bOTY8IcX~CuNexc+(oskV!MxQls@y3R!X;78m5aQ?0n%Px;Y{2Ky zio(zm6lejymda0NWS&LA7M42O!z(0!^|ag){wP;&0a1It+R}e%1_3Xe} zqTX!txCu6ic{8XNAD>=q^DH-t`!1&_f@gEnSbKOwcgAquGf68$kQCAnv6KA7+@S6p zY6(Y81ILfVVb&*Xh16esENA30kAJbLLxg%WF7mNUrD4u#YEV(a&I1xZmevyF)n^ z?rq-UYvgO$g8m1q!diST%^Hyg6IkxdGj>o;f?J<|{F$6N%pr<143P61bA@_*3oKpO zthaaB?4$l9HLIRe!%xf0*OnSspv-7Plo9;7$N@0N~aM zawI9})z~yscgZ>E0Sk#pkf&(?h#mrj(wGPVhTz*$AY2&uOf5ZVGk9|6kd{fGgy5<6 zmgZ9cw}BTZwpmjDE&ZR5EdJNSlr2%`)!tj&O#d0EkJ4he5 z5qlCMvq4e6bB~#s8N<+Du*<`|u?Ud`#rwcyt$#LhY=SU%egEGS0+xdOup<7?=OL5e zm|wZj+-VdGS{uN}Wl9r)W5&#G3ddZDN-}g5c+LO-F}-`8DQ7H#&sQ( zZy{C&N?!!g9?BR-N*|X+sY<`;5K>Nj4*K<>?4#mqQ1dwbS+_{@Gfn>FsVdt^t_>=N z_-Uz=x#xvv8j!P@$>wUUglbx}fhKsJ@%*@^rD?PlANyW&-S794j>e)lCRn#gy#;eo zg5n0ePFMRXt}voH+G6Pxwz~74jBcK?<+MvcEpoO>DegH#1$jdIbk*oiqNYul1FSCD z&~L~=E4pvTKTdrEpMb(F-`nuH8W=twIDXbekBYl7ib#nbYq59w;e)K{?@E<0%@ciR z@K!_+e18~P1O+b-)4VreNJ;aXCDSY%p5oscLYJ>^*0145YAp3q${b=%2K1ENQlqxp zj_$5#=)?5VQsj61j5xH4Onu*7ti9-Cm=ArAFBDm18j8V`7e>N23%L>J%{+De6Mc7w z8+_h*Vp1ZZGtO#SkDlus8965x@#KLPk`D~o6w(~VUHGHXdXt^!amcK~c^yV9!Fsm|-#Fd4*@Z&v4$z$>keR*zKFIZ#dQ*^qk z_3Nb}MFo*6Cus<-uAEA?sG$w5atpn_pOc9@d>7Tr8NxhuluXi%zPkpV1t00`XY_S0 z)_y}{EL@sY+!j?-JzqkGQx$!NP>Liqsq4`@-c8z3Hu!M6kM0#nJ)O8x9|EvsCYXPJ zdBobk`2bq-J2Wpc0imVO^LW!(u1f_yhda!#6%Usu({xBZT(4^P;!hV3!*8o4H;?aQ z>QDQ5Iel}oUZkpDxQRhEI8<@f?G|!kNFH3VtAy$1gYNTg=ZMOPmWT$prhX0s=HJv` zK9L2NHBOHrU2bAAI=e$P%UaD^)=!%kQcqGigOG}zRZv~0&hin*n%&W5B~_s+z6SBS zm8Q&ENOQr(#JE$kcgdH7#p+9EW9cCP&u~`e@7cg61sQYaA?$fe7Wq-smM+tkgWmCI zwE^|W)u@w_m1vNpt<(?;Z27kWdV8J-{!I+P%LE_%Hs51;y2)AlW_A@16(2~(9+g#8 zR8>{^sxdG_w70J39KKuzlcBGwSq~#58aA`V{McAL^! z>4*;h+#;VmapK#I%z&>+VI`=UhK@w z76gUXQ_yD9LO!@VX<1IIKCdjBdk5<=&`|@!H0>=?QFTwlz|v2ivEs}igdL&PY_GSB zrrl@9ETmq|aO~)ETg~io)1-oOhPWo)t>>kB&pz)vHf;kQYDd@4(Ds>$dNUpk8^~bp z0XNi^@k82aL$>XjX50s8hRPYp%4l*HQo}uvsXJ&NJ=^o5RTI>yd@wOyM#?@jQH7M- zS2T}nNRJ&wkeSmACC}YWM!HW3v)6$c>rmB*lp>!VuZ^SAKIe!A;-Q( zIuBmE&0lL>S!g>@a-g3S#-5nsUUP#-6#0#BkgN7wo^IYC-&R4@xyL(aX!$Yt2WGQ& zu!(NPxwbkkpFb>es!DQUvidu!(*8Yuw|oFoLv5uaCO2&?oP#T3Tl3xNY|Q?HG#uwI z+$<}cKVoAlq9q`x52$xi^2g?KS2!(|$Z4#f-4b|`sUrrL&&^rwm1Tja(>=Ny+7TMB zH#=4%uCX&URlbbf{L^QsH@Uy>^RR@)K!l7*?@tV`;U0_ID`@lb0mSfTro%rA6L0g1 zJsN6*`?}O;UyC-)@j(_&;Tqsx&2+G{zllen*;e*+ZN3Otq6W zM2A%&(^E(Ko|=!#hXz8I2lRe!v(&8Wq!!vWJ?f42Mc&Ox;CsL`_58u_L9OadwxDuP#a)r+nH}D5D%aibzT2uNH^Q;dq(o)#sG4Er6+#P?PNpU zUwqzUCE_=Y9qYnDI>schlwR>?-15^KWf2_2ubAe%Fva9t3cUZptQmf7=9H%&y(GP7 z2K_J3r?Qp5)mioE+#~?sq1}<*R#uf3In%dQX^X zFzmg(%o zt{9hLH3Fgy^aI3h0kLD%@_#)iSLmu?PGdG~E|xlxF_%Z>H>d?Ht&dX4WkERltA z0M>UCu(P_~soNnYPSojC*~U#6@UC)+=b$ZnneW-`qFT#|cZ&!vjz$fU0y~>SSJOP( zK0AtZZ+!18t=iGD>$^LvJDMaM8W)zo?CO<+fg+667|=a{6VeC5Mvo!#-Jbbw+nP#* zU@riVN6D!fEw!6??)D&fvS!E^#bYYQX1aKFdBSm))U<8yI2+lskz3H8UlgNUqFT2; z!<~2_bRrhtpS*C$eym4K^x#%)IAC&=#daI9>|~>Ibl?}7Z?k)SfDKYiiIs~B2qp#F<5)ndy z3|iGm_#P_=-rajEkSkF!AcCfI@ZPKTpczY?g(7k9f!`r_h|DDa2$7Y_t{IeJ zW85zVefO%bM0_t7TUdP$hI&RF{f_sJ>q_RY^zkz^0;(;C9R4vTUdK_{7{8_9jXEpI zn8L5GS=i)5L#eB*Z`+n1cG=Ew3)&-2UgAR2%Jav;0`N@f9G7>tws2^;?=RLd@5Qr) zkmO?Hw>iAZ%y!OIfQ=peC-{z8aEj+zV(R_)@m&!I>6FX!S)+|fe|+72Id$E(-gzqN zG{o7k!Wij^jLgLxlaJLqsq^!evysDksrfNt{TGv_{uk9yW#y3A*lHdR!?LhYy;PRz zH80b#3DBCY1^7`YXq+{sD9bsq${P_Y53B%ylIrJdeaLLN2NCfBsE<&poh!PH7+ALaQg=702` zu3qQHz&yrxp0n?yJ2UVxvwadO+2eriO!bwoi+v+{^E&P|m(k2)lhF9JJJoW?bXwn^ z*PqJC^Ee3y$2VjnMyiy@Ty90I&2Xs=&X0NeHj-HbTBS<2tQGQ_~S+55yHiK3O_vACd?3^ZwP4jE2{rk zL;1Bk*Ng66EiFp>8|fQd`kkI!xsH~l#Hab8EUM3 z+bCi5C=ws1dO5CDiD6?6F0kEU5Uj1C})?i{6mpE z0a!pHA~NPy#X8JQhb+R6_oRUOWm~H;6Mlq0BCOIsnRKbo;(y5aoWs<`;u?MukcQS% zGfnz{muBTc)@@xC5t;eL9HXvRZFx}_H^(Unj{9IS~mUfx%zPLhcv4 zbpNiA`t4OS{j2*hg6DhghGg5{g;9TX{yU{((SM9wlK`j?{h`*^CNaA`QhnE%>0;(0 zDrZ;noGK>xz2AoVCHuuVag=Io+wfHbQ>t;+AiBk6yd|YJnIJ`?RbX!{dNu?5rTBWl z^Q1*Oev`0s1t=4|EyDHRIN<-V zg$XCyvm!)XX1b9~GHKP-)to?(OO(+1ST=y>0N6Y=0FoTowS@kk{`GHOi=*I=CsYek z6W}7k_5YV$Hiv2w5$Qibr+GVwUmT8cnE_)L^W1AAr2~BdI{w?&|C`wkXxm$&@)rd= z_p#k~I`r;|WSC`Q@IPJpW<`5cJ?oI%Id=3Ic&wE@2*9^Em~${GE<;Kui~d(g@()*+ z7aN@+_cxl)c9MG`N8@@W#sGy$6rg$?z(&+$LnkHUYUN6;hF7E7Oa5mrK$`2cWqgjr zZet9R@M-IJf!Y6jAIyOgE^w?9CF4@0Gxgb5LPrdNKegS6St&oA|I~3i<~csnoTZ$M zJN(xPRL`W2LEcF;+=4p;;~UXFi_E{;Pg&U}?xO{(fQ6S2`UOg2>o!yTRNP?d1`oL< zcyj9}P|M{dJf?)PWdQmvXqG+Kt9tOKE$IHFQk}*_gZ=C;Tfi*N7K6wVVyR&bn}u+8 zH05Ja!4QR>oN!#N^j(8x>Zo5e?MfuUb;mQd9Fr=vT{JWTSr~?rO45C+f zx5wP^FLXlTNIGD6X4ZiIQ9R({1HCG`sXQX6+nfC*r$C4UwZ4|@nD(XOfP)8G1a`Xt zeV1ihSmYz7tbqKvtOnRuyea5r6K6OdWaLPDX;}JfOG)3iM)PLVR2Z)V86B3X#7VmN z5MMj0T^EZ)Y#NjC7upz-g6`NKX)zv|qSDLtX3BW$;{<>qv~mOa4i5xD4%w24{4QtI zL%N05RWWj!y5bjcwic$?8#$s%%vf1L-6wDh+n|;5qmnOBu#qf0zu!uWe#&q?syH8+ zg#?jhtlkOZ{ws1h02(c|kYrL14WuS9N;$we+7uf1&SbCDcPlF-ajO7qTSBfwq#Inj z_C?i{PR1UYR#j3y4Lz8He(RFU;83Q%MBLYi=%~Ts_0}UJDf__~bwwJ*d>}Q!xH+qKDU_W6Jv@xiqEvQ3uWf{4wy6)C#-$}QHs}p z9UeA16==Y1dJ&1_CWuO7%4xOtXQHmu6aX4RfsbrdNM9=$=Xxgi*x1TY!-`(n`F>9n zle&?Sk&4RhoXfCk9?TCvItp0cDQ!ldy|&<03c}vOtP+d9*6#I3&hu+J1z}mNrpSj7 zQP3I1htu(XK6;HbvuPjz#D7s{L9<2>C-8%)m8JE+gT=h`j?aENDx}j0G*!JZ9vOYq z|H$#O*)9(1po1ece|1IBEoys%C+?cXoHLbr3+x$kE{!45uk;o!k889(JPJi?dy}Vf zzerepT_u_jmsM<*gfO645X#@ITXb#aae7rw#cBlGmutKMvT@YUpkFa`e%|5$;m zR%Ba#Qd;9tj~$XQ%2_}DHJNU2O5EB^g|^9a3ghsv-*K5!@cSM4J588|u;8fPzvL(e5{`s07tGGI%;K0+0AkWf5ehfK2G?;L{?9Fq{(0{u;{5-cN()B z)JX9=GB#cqf_NPUAqF;+Kc^Yua8N#7wgTshVyeP?V}ZBya&CN_iM)8;-hQKr-AJ*{ zB#td_1z$20Hnh?9U?ucva5H*;EVX~7WM z>oQ>z)BUd)tRX)0KXn(fSboBo9(^SCqI-M8z+Tq!MK+%wYt(Fpg+2Ti57ongAIoEa z@AuJr@yppK+6hQKIoVRu-mf=QIUH#o@3y)Gxr_4qQkAm&D#E{S+~BfA?&O8`WTAhK zeot=qglg3lcYjN<7!6a+N)Ru>EPqcJ;^Ol?9Cc%4{Wf}{qM2pSczc}FdcLFc&g=ku8Vyt6mD@+kt*%OZpnw zXgjw$Xt+4~^r%I9%?&fq|D5R@UQxcDn&ozf^d?*K!rf>7&rETD^7G#1pBs~U`u4PG z^wIa1bDQvd3f0?H?Xhxy<6Bepq_2M6HCCYJIn^4sUk}eTwc|!TbZYZDmo}?tdA&( zasDnV`Xu{s9#E$Z6;nJ2KVT&tBYn9a<>-HSMRoayN)2CvacydETVqBkk;Rz!*rV^R zdT6;e46NUHXewy4Nuo)kE0n!)6IOx^d$q&G7%~nKU!yA<)qLQKc^EuibFzYkcwJk6 zy{Yzge7!)SjmBiM^bf`As_yHeFUi4a0$#bjLfPn7P}%%89&fGnnlx3nX>2;kMy*<6 zC#|C>YIy{L?={T&%mdaFLH}ARE>cwU{jGT@CM7X%e*Dr)-s@8lzq&Zg=*ETJv3EP7 zN}S&SV!RYfnhJlUjrF9OK=FS^#;3J~jxGAZ^vzGanbjwmpm_(Y&Y=gLg1Rh)8cl}G zvAlS26&k)A5|rh1M;o#!%rdRb6sK;veNCgU!0Y=Gh6Jqhwa^7t(U8$RPBN3e=O>^{ znO7njYudNt0j*x<1Ea-5J$2@qsWwRhAQ6}@L`hwqnsk0qHCl2rWi<9W4GQ#dUph7% zqPr`q|NcW?)NIgdg`KWRGD!ng^tW0n9W-QFd%;(xBnCnq{HaS4zn--LI8GZ{F#PYg zePg?%j2`KlePf>BJPeK6(vi`ATWN@Z%6m2re~{4JqSNc(WZLb>5)tVM!&|n zrx~wR3+vvFoB-32y0ck5e#?2A=q#nUr8)%-nfTJ*p`1DP{p6FDq!XoiQ3C?EUsV=4 zFANAv#mQsOd!DpV^QKx>-!tDOf5{VHDM)m;sK%eoxg zQxuz%?wV^>b(m+fbhqyv+@$Z}!?94ZAJRIhczw!|caQk2Am)V{z6A{Vh)rs;7RR+V zEIwAvRo$4?=?SZ9aaY+^;lbQmef>f2Zj`k_71Z0>wNHIxPI97A^+Az5v$0STY5uo0 z7N{^!vNKoLJJEm71tXq1K;TOoIdt>V2bKv^!>kGdwo<*@S0z6kFC4S(D9i8O%CCH% zVC*NQ(a`+lFmRN3%7wJ_vW+*kD2Rk-=|j4j6XLgGNdCjR;eFYsUdQ87R$B{n;E6f< zlYoS@aR|8)j^5sK+=X%FnZH8+*ECo&A~rADN~v?_(2LIF(+GbxvSqCD%=A$q?QU5= zf<~6=6L(WCx^`K6s+re1t}7@^XEi7bvM;BnLq*nE3sv{EgKUYf&r}b3A<|~w@0b|H zPa<5l;UobJuz4-3E|mF+N`t;`-RY1D*bk&1z-dW5<4fU|Cni~_dy8!8p5{u7ExPGs zp&|Ay3dHR`>b+BE^@NQ`ULZy^kPiJld&4+jife?pPa1Cm=Jz|?EAYC8n(T>JNrmUG z?&sGw=ahO`)Umd#>`Ri|kH3iYrr699WiZLwsULENT3AHM_S%$Rf5&F*zZFMURz4PsL*w@?Z7(vk*moybO+5{4yAUm=oQBO`RC~jqCWWDPH}36raLBQ$gJmeU ztn%GMTPfK7&?`L5y6n2^8`oxqVH}m>*2@jz9Uea} z{zx9JiYr%vZ)#cQ`^YCkA{O=RNx|Fo`L*!19I@MVUU;cT^K|o(O+S=Eswd?D3nS%$ zxuKm@J;Z5_DV&X82GP42u!&Fxif|o6a7tR9#yw828cNz67BQGrT;)pd&!-%Q#_nVd z?z<*M7LUF<1X^+hvYA{S#Ftns(&|%smDXXeY4ia2DcVhQx4jOXmaHaoaTwgmhgl?* z-uv8*LDa1!xo+gd^S>ntpw<-`Bt0QA(^uR$##3Mvp$Y?yX3WNd&Uc|u2PiUK10Nk! z%p-hXoLNwQ#_+229^klX2g%mH%J#A0U(~1${_!}PH0KV{L~4Cqkk|klkVKqM5|hJ$~fn z8yAvq_2!MMqiMlJL>NUnO!~&Ga{djG7j%}og|zZ}vNyww!(VND)cjW82p!@{p)>l0 zv*c|6k`}^9gFjuf)*03rrni$luvrAKB}mpswLf6@`Kk-9GGyHsrwXiiTv;?iw+%jX zR!qrNU?``5U;}Ly#%%<#vrY53^0V-D*|OCt{Y;~&iYV0KK<6mesq>MLOhi~xQ(t6tu;x3YJppDyh1T+0t;9)GSfD93nUKv~xvG#y}whJ@-<> zE2QwY2q~^ycHuR-QWvU z<56P2b8cjcG%l^=A=gQ>-U!Q6%dM%h_p^_L(MWx*Mw|Md<-dyaWz)`18_jWBOe-AiG#TXj(U3k^qmxq7emY=S_ z@O_zyi;uvn5a*6Z)2N2AgO)fN&v*M@l&7_e07`VxGg*DCxZJn|a-xz{4W6vA3@M)t z7Dk#vV6R^ioI4s;4(P~7#C||fLrKJp`SF~M81;Q6_WnFkKuTd0 z+$DwHMKAs=3+KOJa97ijR?g?wcE>#l8wE9q^P{9PKNX7fLBHwL6*g-7U%D+E6=R#f zsSs;b%&F*TS9zk#cKkv%y3XD#`S^Rh>PNG>gOfB!f=f9nozeA%Gl11-{k72{ZjGC{p(o6;>|1o;ICaS-JSKO@u;9IP$=2p4RA`X6T@K}5`41nELy=-9W%iJg zi4n!`XW<8EvQx=0=ll*kl`y(f4Z~=K^69_{+P>__VsQjnN$JkOY~VXK0lk~WFZ7+< z6ZNlYq&PgnPh3UYe&UkRWvs8{3)b{|EWdOllWRZ&qY*Q@o2rM>4Aq(a{9Rb6HpR8^ z_k>ngK-hA0JF^&^_IV*v;Z~O(NIyl-$O3!3>A|LA!ta2NezOFo41EI=?bUjiU^vnA z``C|bo{8TZB@^t1sJ=e`nt3avP-lDMMsYY9k)SrddXw)Re+Hdl!6xejgv=@gK*ZgV z???-xUKDXE-wN5EC^oDkI}oa38-NwcY2iyh$-@(i9i3 zoO5k(1831;_kk;efO2G^2ZqG>aF+IE!#jCp+-Z@HSm7fn`tR=2n`bcwQL zjcd|Xc*88`RlvLPI-VSM;()@I?OgVq>JhhUY>WZZQF*VsPIdDORNTl-1(W&j%Pw2; z?{r~_Ia%8AUoZO~Ch!Eq-=>-w5V1xr7?nNe_w+^ZfT0jb>9|sfxBF&N;gDDIp^lRj1sz?{j<~7(!(BlHtGbtlVZ64~{7%~6u;m=ha4)xs0;ZBOuhswc!oO1>P>1VW6{(mI*#PmFC2@7d@TN{yAHoJ>4isUtm@9WI+d<@Ap0>r_NgW&5^~4v;cnP zICHmFUrBN@mI+#5@txe?LoE{_z}Fl7P1ASXKSpTn+;HOiYzf$~_#f@@`68jWg(Sv} zoDuz6`_+RAbnlvY2BXi_8nSuee!uw-%Rme?uIWmBg_`RsW6Q2;AZDd&H|uyMN0{}Uv&q7>j+AZ-7- zlk$@nVf^*^ItjLjI(D$vM$Yqo(o%#6bD|~U0XY$Nq^2fZEW#_1iI215mYuRRk(tZ- zyRL>yJVpX-w4ZgS{lU+!yojosM8ZtQ^4@<)Wlq~>(9EiOk8Th>AOoW*m6;Fo_`;^* z@0j&YsS1o29p55axgK0fI^lb1wi?2b_8?M_Nbn==OLsvlgAE`RYS%VjEU#$lCef|n zPkzFKgfCA@nx+(tV?L=A{Z4(@jR(*3#dIE`Fu_H0%W;t@N z`d)b}fEb^xQt^IqIViG{vMojpdk(pzJ?H&QfRu>L%+v22x8~~K5*eKN&#|f_ zLWL(fwdUAU@xP8sWd(_Skt*d1{hiBM{eA@q_IUdD0ZymeaEs8zqieM7j8hd>!+@wV z{sVW1Qv!d8>lj`+9jglM{yBJfG;7bJvzu7CRkSqZLr2jgOhtRf?IJng6cy|%zP=|`E zil)=;scAkc973?gBpOa4U_ z)Law(qrA4)p0oLEemC>4gzfIshV$R4vsA`K-xL0)h=OuHmFDj_;)rS6Z#+d|2;4pX zAigDq(Q7>eip-#q(6@xfRZP0sS#fFfP?dkiYziAwp_~l_+RP{OFNSi zRdiK!{wSeOBBEa4i-bT!l_!hy?u)5A^%z7juV_|XAdrJNVj=UkDDZD9jT>Z3WIv*h zH}zV)GE3+EuP*MRN~3VWNlYF~!E|cEDGGOuWiF$xyd3H;9MxYSFIv+4<;4$?2X(U! z4SW|k*cGn*;1b9mV7WMUygF`QCIz|;Kn2Ry%4Sz8eI7#-(jloN_g>*IPg-C={?{DR znN#Ht7It-R4}VJDT_hrrmLcbVRq%{z*r)qB&#=@AeHd8OV`RT$&FOGm^CKWuv)1%G zl>hKaJ`Kx|wy78WUi=k5;m`F$7ym-$N7FxlIT|^rZkXK(vqnvb$w;xEEWRQdVV>%VgO z?De8zAUr1g4|V&sjA9Oe zrmEJXIl6jWBDkreVBqBXT*G%_km~QmtUsb|r(x+*_oj54_AVvcR?4S&LP$Za-~g-$ za8+Ip{?ymI>3%Zro_Ds}(qes)Ov4p3Gi3sMQN{AH!)x32`_U(<(}tF_hC_h=dV#EW zK@Ta-$9Zg(^^6i0Q!wfTP%l%sQ1Eyr`o|1m*$woJWGSG97{@=$*0N?3Dc_A{`$Vre zt?h;HeaG2VsvHtv{zSywcWsG~N@&Cd{W}oAX6^%syVS<i62oNey)WHY+vOxJmbgT97NSzx-zPYvm2S7W}v?kVB?M{le?;%3NWKl>ZXOg0g9^b54R{;ln;_&uz0P9`^Cny__T*RRawA4Zs}MZdcE;V-F_i z2l--oHZCvDCL4q%5~^p_4!d|vamX?{F`#AZ`fKJC;z7Dtq4lP#2?nkzWK68=8Vx^8 zx;pi5SL@gLvz}*0Hqd^UrndaWDTAa7{cEFJ*MfpS$!EW?xtpl^76-aqz)#dTSX_SX z1af*_96(x4QKd%iu=#K>GZaQ-8DdCP86tKZ}x1ZJSkoQ)~;j{@S0D#)( zfO{8ky!9wKF#DW)kx)fc>Y0A0x|1g~@-8Y_?!(_IVJhnOI3HZUshYYpZq=}NMg&=N zKuD}7B1*nNW=_5;RG>QB6Mhhd`47SI;j`>iYXVr#54zTM?2Sr3oD)_BitA`tnJyFmYb<=!l ze7FGMBnsSKSR_!9E_hlx<4P7Je=w6rE`%IPHavIj6NF@zW`}_=(o?t7~9r9&-Cc1ap3MQqwy7>d(N*wDq za{H|AYtrYt%xlwDIR9z=+-H@_36(><0t~0`Mko(L-vGgyMIx-0BKm9^Z2-~FTLpV> zSH;*K)oqmnM%wX_rSjyuSMVdUdJcd!F@}umxTv63_SE=IDPmJEkCm9~lZYi)`m%?E3a-1D_t*EPe{|IV>m- z?<-bAM*H_0T2E^DTR^!oBHbE?_BkWhtI;c-^^voa-I3lpkE2y5h#6|aV9i>eYz9%f z#*s$EkMVC$^cpnq4;xfxEGty~Vs$BY&rxZNh4GC=ye+>Rc@UcqBuYYu87zY%EX~3a zEq-x)4Iwjqs|=fwtE?{gH~Vdu;7Eu3Mz;@F3!YO7nuRSC1&fp!)0Fg!3+#>_)$5`& z`?HX*dS(rOSR859^Y11!BbCwA@yj}3(S=b++|#r$6k3S0&SRnreN02jOINx=Z<8>Xzi8di_I%9O4 z!WJ+aiG`$vjAm&n%XHODpZvbRl#+~S?;*AH`Pq=Qr0#P~TgnG2A71ieR0b24c_<{% zR0~?l;S+P^&&AX!`;9=26`*PJ0m|mHt8|5BLi!(*vFWE8WRs-xBIUfj_p;TTpt2r4 z4DSCT_8kqhx5V?JsQ>AL%1F$8t`-T94((A6;6j1uR0v zC|SE5ZI{Ddl2wR-iWt<|4^~ZvMAkS-{o7X0j?;-!Ha*I(O|k0A!LSDT>4E9W&ix$4 z!rRf11>xrP?gF3L8`C=_h3@e!7?Fi|?h1VYv9ewBck=}l%ToGKSmV$<318GqK^j|J z*NFr8vDz%|*u@gMgH%nwqZ?pkAr(99{EJwVioHqufV9XoJBRe+WuV#^9lV7>eZ1rO z@;4aM{j6`vrgmPqO3%dgq||F+L#)N zgXlKg*qOqW{k4zv%~a=%@!_FbS5l=LlBgG8^hthklz5&XGN@mm**1CEHtVof()dzY zVQE=vo?1QS%>&HP(j0%PiH_gFr)D+t%w#VLy~5$b%E=ql?boBE@z#I``i+ER@`na4 zKgFzU{c|R1m}w#IjhK$4#)XiUN5kOT8zcKKrCR3_H6HHdD~6P_td3|Hb)MfV@jm@n zIhnN&BpYk43SdXW`YnI-tZ15odHP|dkv~Prw&Uf%Q@Q7|FA4d1?Xj=3PN9?(bnXXP zm^hfd{STD1-Unwk#bFUHX)j&RR?e^cf8wMcnk5AzoGO1dkh$+jmGJvdKz_=lnoIQ@ z+8tH!Wm*-`ylN>adZKHvp1BNPEORk^Y1%Mo{AwHqovc6ka`3BXPPU2a2ocR9F^o*K z*IX!il4mzUZ&XvbYFCdyNFIngChu@>M8igLo-;i^){3id1edlFQ%MSnCVst%s`Qz0 zBLN*pPpE*XI3bispLFfKy=Toxrc?BmSV2dode~%_s?=HD(nj&N8L!|Ob`2}n? zDUH5K$r{V+;L7jK9pe>ePwGjz&Jk5zHGLoFj_beEZR`_$EP@#<^Yq2a;$|6YKN6Xn zY#yu}uFSPk7d0GnBZnawDvS0y>33+&{EQ_y^QQOaUaDVC5O=$bIg9+$Am>?CDLR?8 z@wpJ|#x&lq+4Hh}0rh$mYmi;SoF&w6K_ZvsPCI$kE@BQCp=RCO=Xbrp0Tr^&De=RKL4!m?)oQ9X!Ep-O4%`^=~m< zSr&9-F0OC>g5K8QAypyReV%YCAG2g@!Oos zkK1!!N7SF|r_~C7witUBJXU4G^lIbO*vO}Z(pNK)K_T*SqD@RRkkxb|F!<{9v`417 z%oCIB-i%F6hGwv(lLr2e;=Vha&Gzp*-K`c?yH;^)MZ{{Ut*BCa#VCnYMXd(0Y42*P zMX3={vqq>Oc5GFOqV`Db8nIH;YHaV7`~E%8`y9vn{_+0zUVr2`xRNvHb)DCFp5O2H zGs3HQeP%@c0i(H+#P-Jl>o13`GnkHnZPmi*#vZYhP!0&MxWrGrRHa$yIW3+G;lt{^ z%zcBVVmw=icTb1{D@5_7trJj~xw(nF62# zy;a5i`n(kQXZOAJmE*HV*C_fskx~~y1t6evv{KQ>c~1ERcF^|2jL144qx0RO%Xi(O z_So;ipCvut&eq(iX(qL^L0#}yL_#cY7acAqQSXNhGqGnGA7x%SEy_OWUG1EGHU0E~ z5h`r+^b6%>9sX1ePTkwNDwGic1lr8|a>E4#)_>fse-^{H1$)8jNoobig0#r}d(-SN z{U3p|FC4Q1-Wn(5{Dw&uNXbG%+@Qu@*>>z9&E8txrPaSX= z54(nY{NF8x9(U`VyF6pR(e+gvRlFpZgPp?X2VL@b6z+7z*{)b5=gM(E-;vS&29VOd zZ8kTiTZElo49Jyshe}Zprdz;82+eNQpmFXDuOp~8tcSEeiEv>x(i77gL=4s;W8tnJ zfEnV;w>7Wnj=b1AQd?^!RLid9WbQE&rxSJ?IZWZMy5xzH_{-j^gM#R!Wc^{hqweCF z0#wtQ?ro$B^g{Zn0_J~lU#|zXb$F+5rH<_NV45AR&g)g2{v>E#YmoAXD@ACE7zEf> zn38(RJ!fy4+^x>_4uNo_NF?1&P`pwpiYnIOj2gc(>Rxw;YjrN*Ly-Eh zMl)!4mPWG^4h2P{o=YG=b2$|*^|AK1&KX3cmm2@TN?Bk-@2AOl%4K?rU$G}cG&@t- z86KKoyFdL5Xwu|?tox1LM8Jzn8hZ{<3oc9k69VdHktj~v2uN|R%VNz_7|b#5Cv zUVrI%BmeWp({8$5i-q4HlSzoE-jN&Yjw^F}r&XpNHGAy?Vm;4oXibRqW;=aTL18WO zj5i!>l{x$KrQ_3hK5YKvlT~?2h<$;~cu$M09=4d=O^(`O?+rSI6Sjd*R>tx#RN<}X zr1g6p7pry7K(*DWuBHiY%jVo0N4fQ2Wyat0OZ5XtE3;9sJ2R!uRbg|bMN+pT{);=# zl!_cr&h;v-il<1`wlARE_QosjCh@T}gSKXDEq7cWld{Wd#^@CS@j#<$-4$4gpf-kh0yX{K-sO+@?Dx6is^ZgY(W*eic5NNb z4*J{95XVAjmb%!bNhPiU5kP56k#}IIKUqI5k{Vz=4C`e+Dt>fI20d)&Nbcwz&2sR& zr(|=OI)H>M3Aq-rAQ`XvHyPOdg*A^DK9o|aVhz7=&MlzR5zsDF5lFX{JS6R_%-drb zt6@Nee_PayQ`R63zVSojHlKx|(pL#Q1ouG&tFvVR{|~&RLDgvmKu!4LlAXp^vqVL0 z9miRjrN5Jc#f=%SB$Uju^cF1 zWq6O^2;`_MXL-x`s4g0;Y?J5DqIoQZkF;TQPV)|bxag3lwybq(uuDT6f+P6~de~&| z&PFQpV!07a#xB}7J3jhscPLyGIg@720eK%6=|~Mnui!30(CG#oAIv%3;*|>-dd)XO zxD>W{3nNe*87_Nxf^UDyIVCPu4~!@%dso_UN-I<#B6;O-+g7&ej} z<+5)mhO%Cn^~>uN&r3jw{F=?8I4zsb`+p^kG*~>@K<8qE*Ww&T-5e9H5q?+W7-BMZ z-)1-qnRFQc2zR`Se%A0UBaNu|wc$v6yOi^JMe^w8?A(5l>Zb|E3VI`%qiC1yQfF;~ z;RrczWlUq{OP58ukPzMgKRbM&vwpn}*-piV1|562p!FJJ4%ehZ#WA9PiyW{l@GfYb zhvf2JEq!TG`LRoM)p<(FLj>D672Tf8Qb+BQYl@q=Ymz!7mwv2lXP_n}{(P{dq3L3a|fjq=d#rL8} zrtW-wHm?OspPp;Cy5ldFKKWq$ zn`FTiCJY+dS$ajVA9H)Q^>NlqCrT>j^P7P_O_CWnDWdlvVodGFO#}CFBlhGm0G2j2 z!aG3bgzk<9*IxS02&~I-rC#$)p92a_-R1AO^H!99U9Y*czuP)lX)@CTr}MTDNUXwV z+uF;Sk)as|XIseZ&o|hux}M-lV&uZ$1L$GfyZ6LjF8)x#emp$a}Ve`fwsE(-ctsUPW4M9R^}Qu;Y*ci7bl4 z;c#oHcQS*vS%z}5{iv+p=EV$H~%FfFL{tTJCuL8g9;#M#1L_iu9x669rT8eQVXr1L1 z`E`SZw|hd`8J!L82`Gd`%J3}6KT=svGbf%bRgvyJe%w&{$ zRgwNP*TtVPZ{<>y82cjyze@e){wn#8ng&V~aGeH}flhP>ukY6LEA9RaYv?jXPq|c0 z1yTSyvxPM8D@c*sB~Z&8E#Mj#=K}=>qC}R~S%c&sRyI?qGW`Pl77PWnUg$>4K2cP1Q{_OAUdMR<$G%z-5ig z-70exGUlNL6bwt~O0E(>-5LX5NBBk6G6M|ZH|sPvL!1Pr&T@ln-)KFAtV;i27Y+jo zi^8uk&PG?DZ~C90%QOVB(Uw)$`s}$;I@@PJS2!W)a*rDbG%@KOCs5tK$6t6q;v-8b zAt)dC?G9%U@^`uh+gmvlsaOBmK$ttXbTa{8R<-K+?x?P1rXKGM1*`_Kv#O<)*GIG>~=|L&DW~gXq!sb6edgX zx`wgHShnZnJlxYZ(a_hnu%5C;rVzVSbQpT`HqK8PH{UTgbP?g@iTQEO#c^=NfEk)} zQzXhoBm-DOl$~%RYnA%y+V))LR%D^XQ=ofX^J@VBDNA1&_$~*;*#!Fqa=ne|aKatv0lE(?H>~L0-=%~LhYc7f8-IPA=^9UZ0}Vc&r^64FwVFma zaGfI(qJWlw*thcI)hAk`v8^KJV>yq>ol#ILI>AUwm&+I6*)h#sFLPbl8?^LX__=xF z4-<_N??dvz7W>KXfrq*;axLfC_YFDvRxr9R(Wrw3`u?95OCA|syq!}qPsmI+urMym zVF|EHs1^;hHf$q3RE<+`R3wpzY>2)#Ku4fAtR)$*lMl@>9>}V%MbJ4||IU5Y`GB-M zKB7W?hzu~g4h|_ZU8&zJ+B5+wA71AF;uRJ=3enthUiOJY1vdeZNst|QN`?JE6dJ2- zaAah}cz#6jb3oNwpgS)TqIs2)X;>mU;Vhfl(yPLlvP0T43><|jg;I1yvEz9Y8lwXL z{D-Fddo}XCPJpIt0A}Uo|1IaGLCnBGbHe22NX{d*BSIq7k*7?Nq_CL0#pAUGK$v*^ zUW(QX2iQ%al;4?8&0VHfQN=kd;R|W1Czs(htp)>jp^bba1q4LA` z^!1vP;{)(t&KiU(5z~ji>_h>E8(^_{7G3gU0$RDZAI+n1lW(;Fn`2XX zWHq;z+$)yoH}<0y){!B9evNt$Of&)drQ4G}gL=&D29Us54zp!pkJg!r)N~*dhZk?j z6Hb^qgoV}t?pOTQm<1xh4RYD-JgW1fDwu|$aj^eVPvUP~FY6K;H^T#HvdUiZ+&(l| zKO%vpsDM!W^x%<=;A31ltC5!7?Ff^I^cGl6u=dO#N?#p08NAg!u5A@n{%YPNNnx$p zA?qR?IIjQN4>L9kn=#?A2ilpo|40P^kVj4Sg7K%q$D9yLV>aCPhkJ1t$w%{m5n&XI z3dH-th%(r{YQZF@7Mn1+(XCW}b- z$Mbku2HTM^p7$QS3p;!}PnKPMC1Fs7B%<%&}3;m&saxZ%O{JUNHKv z5q;943{Vbh0*reU7a4CX0+4hArUO9cBH9lO&kO!Csg^5Y1ctt8|BLb~*O%6^j;-Z7 zx0*zjtT=To=uQD0l3`=Rd|Y`&GO*k2;cCjedb){^=1o*hE3?SwEaf1*vczLk+WZRyFSl;9Rgr-i$)c_5E+^z!P zEmzwuafM<(Twmu;Kv(+lf1J?D(B|*F0lcqi0Wjn#$=uFl$@*u;y2;Q!_g(S7PXl_q zl9}&W|2Z9X29VV-^=W|b(>5{?2P5!q!OVBYZ-5E|FpgqBl6YgRak|3L@cWd85s#s8xv8mk33{y&>%jnY(M z%;k?m02)#SC+LOr-0sF4jg10UTOX^0tWMOFSM7S#trC5JH7nKU7a&A*0ko7DQo5|< zAcSBpR{is(&oIm!2Pg<<6PzhMMR7a|zNU$*QZ+NLxdy^j4rhF(L#Xul;E}hrQrw*( zQVD;E+Ge98#r2z=9n`aFg;>bU#6h0)Vb3f=j{xpT8N7Hj7gR#0oO8Hh*_#reEud0rTa za;6wtIE3OZW?k_(4?Jan+w*<4CK`$3nqjzz$g2(R93KEiH4qhg;FvA-a5|XFJC%`E`HCHW`U=(0fE*3f^eCIjwI+2ro5AdojW+bzgl1e8=kU+jquZxph*k|!a=2_q7fm#RBkT=1gy$|(K4VjU|| zb+q<~a94JW{7!j-RSsS+VZck_8BbgA;_`wNKyjmSUw)wu$|^#INcI1mICc-gUYhO}u)Pz? zHcvL%`EGKUDA>m7*tZw=@|LB2DxE{u$JxqXJ@Liw0(vt9#VCiN-?uDx4qvy@G`ApE zv;yPWlC|%s<1%eSk<+Ttd6MjFJ^Z$RBGt9H!PiTd2VdT+9CU3hH^n3QP#hJ_LgMk8 zki10ci6rbG(WGyU3M%q>Mxiz3@VM$aBCM&-mzW z`XK#akMNq)uKnd-sF^FOi=y79zZ3XW+J|m#PfsT@d%j@J(r|nN@MoI#ODij-2X8-5 zj2T#o2mCTp{qgH4sS5y@Sn9Vv)gc$+1F!!B48g4)KwryzKwVcs(s0n|y|G;*MJArQ z<=hlv%#xpO%LD+tkI!IU57f>^KyJ3DB^LL#>_3m18*?pIDs}2je}?pIlS zbEy$IGmB9QGhnss_*?6X#&uFc*j(d|krmb(}TuY)+Zs$L@oR zjQ1AW9psPG+69Lgd=T!WzpfvIZr_c#0c&{ zL7Y-s`)vuO>Iu=!G|7l7igrOUXOKEd=Y_{Jo<`K3}tNKBqQrUXH&pZFSP(z2i zMcl2HYHWN~#QDHs-=24mP4>&y0HYQWAvwxGsbl9zqN81xdWE*BWMotszB<_Se7{<3 zUeSK6h9>zF#k*?k+E$_!EM4CZqlN7N}v$ z=WSRB`y)o zk}o9X@?5VG8pY_@Lfj2aOk}$u(y{jU zg}RSD0_C$7JNB9mfK>u;nJ?oos%aNd@^|Rg4k7s}qujG^4lWnwM-^f+O_H!bK?jO;pr zQguMJkDvi6`T`@pKIJx}!$(}YhhY}6697Pa%~hlVxk*LO-=i}C53C&(EN z4B!RewW8sZ5ECaoe8#D^?F@aJcR<4@-9pcfMKn^>docB$c<}tL{a9p)u9~!)E@R0P zQHL|rjd#EC4BVV?a7w$IYa>%js(*j_`)m1_715RK#R&OtUhAo?@M|L%Pz$)Ir76x8 zHU5d|miyYD*k8Sjw{r*t_CE`SdY%{9pCnth&Yw@_Rxgbjc4XP^rIv0tPLB!^4%-C5H@84tOO~;Y69DX2SdIRn&0FTVmjBnLF#v#N+e<6%?5@I>^$~!gi9aG_W4bUQM+E^*5Sg;+(LD2 zTcrFv*GeF-c1mzlph@MXFvxUn@2Ps#S?}j(6zPFb>_u!G|2a($v%RhY4?zo_@|Uxo zkRZg4sGj-ht@Ab4!BDUTDrGb<|GDQr<3h-1#GYQGqo=&%8+RRvMmo#bL5ctgR3fIV!Z(gL;&VQY1GiNlZIx> z=Vpy_l7wIma~V;ncoAjJxtK+TXG_kiw|+l!(6AoqsF95U{0?A6D;8LBlgf)PsGeJR zXZ^bbkEN2tUdT0(bwo&aR}xoyw$x_XjNaahO}TKYP@8jPvkI+JuCLar+DB|e06j>bE(ZX5Ze{uq5OW+!C=u-%;SKE+cnp6H*cTSXtJul^3HO8Ac(lyq&~glGOLtJ ztyg*u8vDl(VY}%M;z8iw{#&C1&JB0p3?t#pR591Fiz8foLFEV@>Vpb*qiTG&+h9fZ z>UP#S1DC+t?i~m(4cL@hX5{zsFYXgR6wvQVvLoG6O_G|GjT5UNu)P;EAALL1%?cdT zFvyO^hdi$5AM86_bkuHWRs_N=z*$1}`op1b8Fzc6^|-!_HS~AB?`b`8&ma44wj4BN zyQb|JnZu5J%hpkSH8Ofp5LfQ;jN*eTV$a!lJw*JqtRSW}=k3b}dxVI}T_%quFj{aU zGldxA{QnkYp1h{yRlGhS6<4R%8XL+uH6M8uhJy*jw1g=jC3CBPng9}Ld~@DwjZgR< z%g|{q-^^%g7?g28`m!>NCsLTVqtGkbEJ4^{@HAk*KE|=GfTQd`^?KgT9xqZegego) zggZKn7O)ZUSx@Z)6kgS7{ClnB(@Ln77R$QR5|B>)mZzL?(8I_+VK2 zRV0&S-s-k}a6ju%WD3qD#h0tItK#W~6q;Jszgbf>@3?kneEwD^4ErF#V9zJTD{Xf) zUc8NM>!Z(MuyD;c870W<`J)Zqu8fDcMZ=tx&~T>Acgs#dv{1-QLIkb81>)YQ#vXt# z`y_Cochl%mh}Z9*s(ZiEs%bla=@bwk{2MLMdUK(AXCiz${{2iYizJ&^fiWpZHz~K==xN{En1u~b}ecqJL*=h`_##J>c93R zEZ8pC1WyWYs0A-{Yd3+~xTHe<_xd$MR8pKT_Kc)J(>mzar z3YF(t$<;e5#IQGysi@HCPaa3pGb~jZl5t&S;IyP$N2GRge)XXhQVu~1K^T-y1c$(n z7VeL7ecpgyQ(fSRGOW#Sc_ zQV9fDF!6o>p+x!77js7zXduqP{ms-BaJ3H!`kMtl>!7^-xf5FbR1$nd6#BX|bq8DP zGJ{X8Mc1VA9VK#?9`1m<}Y*O{c!ipuF3Ivzr zGAI!$5!Q;rrT zq5s~D4#xKA{z|AjW3D+~F`K2qgnBxBDP90~?k4_|vHsZWVn|r-rqLKOR!H11b2GM} z5?;t^ux!D;8SD%HnGYebLrg_<#JS7eOnuEjb05Png}L$(J0DImFdQ-LgBy86Q=1i= z8edlkMFI$t?}k(!xdbOOa8m{KeQXWioFA>EAwXcV9h;({OqIgD_Oz)AG{ZL#$GPj3 z={sn;mgdVG`OLU!;wEmnCU{!gWSDb@c(Y$STQGH%XheU8xt~_<@LnAN%rFcZw9Ho2rYj$r|GT;dj+qZxtv=RR(x=JvN%`eD9{%cjH#k%Zk!Ql}QO* z8XHxW3^Gt_7;TNYD+VzV)?^0(v(_(0)xOUbY_+=FDm|M+Yx{ql9ej%s0@G=`PTcDSWbzc^z1ydLT%CA0qGKw~++eW)mmY)^c8G*iI-dQv_q5`Fsx;P-UPexpt51m~a$1sc zFF!60DSCWTZwd1394>j5F|8;Ip-8DwXHZbsm(svGg4)N-A8+wt!BM$h1p1raiB&$oYz4A@acLuR+P~YW3?emm3qMTkQ z@hEPcKmKnHu6i`zdqIUn9enS=pg5f+gmQ}x-h5$wu>%-A*`D(c)t!hUx(v=})wgjC zcfP1C8q!W?T}i*yX-tBz^VMzN*+< zX?p{mr5xu4{g^Xpi__gLpBKMWTeYOF^R&@_=2w+~j7~#i7oO+Sy*9m5-@Nj3LTK~5 zaes~XVt=~!&vmAYGnb4LKQQ+ED*fbDX%sztenT3?WL1>e{xfNdd|3J1;n!87pIf45 zs;dpG!EDL|u0{5(u~wdTP(Caex z=D+SclA#55-udLQz8TBYCPkkdaqhvP^c+1_lpYvo7x$6tTy%HWE zP-yzSi?<4f%dR)pS9-b>%-^)jU$Ef8)UML!C|x%@n9Llr!3|vm{Zu^7pIZ3R>@=L7 zDfB+CjrU;N-(9#)18-4Wjzd*dgF|`p8R=ekh3g4*#7DbJ5>7yu?0%h16@>&2C*fW* zsbp!3xbFTQ+bZ~=LqFR<{UN-l=l$ZTZTZ9>v1s*|?f337ob()V$ZW|Ef6V1A*Z@-8 zElyoV@xS6(%Rfdb2D zHHiN@^Y8iphu5L;oxl)kFCeE`YNyTGdnTvnK?y~qEQ2p?+b-zTWq GzWiU&pNFde literal 27939 zcmd42XH-*9^fnqrL_x(uQz@dNKp-FrN=K9yr1ug!BE5#*6cOnH2_U_NmJoWcDn$Z< z^bQJy5UL~;L%j!o_g(jX_Z%HtX>ZYjK%mP? ziZ3-mAgcEu(3wvc&I2vGiP%iw-$fTi19uRJ?)vH9nZcRBLlEc=Na^KsZSS# zhkIN;ympVXq)X|7mFs(lj~CDQcd&#CHeT1?#l7|_M>f{H6Cq&Mdo z6cm`B-)FQ(+!zXw;wT!KA*2=iuHe(O)Fjn())n4*{rN)Balb=0U9FXUN~>lS;SGqtQLbBkqGbCrduIn?C&+ic-p=8={15 zk2$|%{O$?ZSv20M?&$X;X8VWOqd617A}Uu(=CMixrBzZ)OQN_ZHE>7aVXO3^9z6bgYoS9IWdGreLjdXkX%c}67>X~pUiW4+tuc05j{1?|@jSfzh8gt@ z5J-g1hxa92R>qzed!YY;bblZS6g={1j5pV}$nQBzW6;v5^ik6M8)}U?6XScl(JG@~ z>eM4Jk4&QOw8{%Dy6Y^~Ff&8G>w#Zs;kVmQb`lciRGboN1tySt67(ru2?FdnNU@Sb zC=)VuX?R)xm9lI13IoA}7t%4IErpV}NKhgc_cq{6!f*x^@*O5y+-d_Bug7q2X4G$T z&pGlXqefImK5P3s*+BQc1?_}bi1L&g{=A!LKl6?Ws%GwHABEMKbevK%*@UW*QN|l6 zImEmV9v?5g-=~D$*w@cfZj4(?Izm^fex94^tRBbD?^o>FqKrqXv)9OvEpp>?&H)!X~4!1Lc}h!;qA+9*d?; z&APpm6-_wPP$16n52~PwlTFLN+#y4=CS#7<@`j_eOJny`!s7R-SIAzS{#+J4_6MP2 z{QO@>kp96B`_&Fh?Mp7z{0K_2dAoJA>JNr7F;D>t%;wJXzCN`;{9O5sZ2S2hDbM@U zoMnvV@8>Zq+8x%TLsgd9*KGMQS+Vlp*h-lp%T(RyfuQJoael`lbJDew1Z$}Sgu8Bx zG1ILHy|fDUdVgg$tU*H)bWQj1iyl8wF=nv}cHU zJyYqahJFc$=dBjc7mCd$LWEw@EjYlja$LX@h3I??~-3@dyaH2kZFJ|m)LJiYmURbAK-tIp{Ky<3H4~{@w~C3Uzc!g zCN`%hE(UFRO?+C6gHhM(10rKS5-h{pByO#Ob@x1ptSHP~sB-fv{Mgr_nkDwKeCRL2 zep(BkEffiT?({hvLApIi~Ad;?O%^}QPKcw z>|E-e3CsoCCmkvjXHY-5qRuUacz$Y29*?npMf|wuLGz%G!y}Bl?_RIM(5jfqhJId_ zqW7Xi?RDf*)62fV-Rb>J&jw0b-JmcRVr=}Pc1BK9y`RHe@4d!u0uB2?TTg+LY1iY> zL*kWOl70%!$b;sz!o#|N?<;1D`Am9kDnl`jYiTR31g-p^H}#I%J^4OM29*fZiWpds z{J2hLI$>4zjT*CQrj3tzor@c5(0PeV5pu;Vnzs6n%D<)<^)uK+=~YlB?ohBz_%8`7 z_2A0y>M2R~+Y$rSKH~OZciRn{A_)S_MUE2H{|a?`N|rWp6-#kG;1hH$D~jbeI6X)L zeXFnfO4mFK`nkyTwT2G2n4VqS7bjLsNn?g9&M$j&xL;UEyP2yRC-zjMrnm~~0~?KB zCF7j5^XtWvS6~~FuAE3YJXp_!B*IA{*DJfqeJl8OL{>7_%y+m|%@2=S73+e19F_L^ zx#0ixO-WI%Jq0S-E&eA%VdC{h;YR5+T$ER)$o$TIO--596$g`!H%vEEl67A9>qO(s zs&Z1LG7NnDcrVNU6`c@1am=Ld#AiF}GEsv-Ea#i`FXRe8fT&&*H>*$m+&!aY!{zw~ zUx9xHZ|WPV01t@8_XpVy6+z(dEGQEw_iMdizjiQpvDQt(jL#R2`r3}BMBT15q!z&} zV{N|p%AcdIR;EV|SwqS|YJO3oYZkDi$QZ*2OP0E#~$PRF|$_s9M}= zF@gJ4q&F%4=qAsTeC!>=-Ej;iP)#g%b@i>0fuuEEp?UT|jfo04qz?vVq=in^+g~fy z*1wC(izyl^rMtmwKCm;JE68~McJZR)RAAJMe2HQrMp(te@u?d{J9(LX{DCu%y*Q=i zQ)SJ8=B@ZK+=p5|g9j!v!Z>v|#$8!RB`ysNb1H!Mqo;idj#5qZ=32hEq|Bk?KE2BI zlv9hSt?s=eJ{JbK8lXhAO(t2b3O59zRf_Muj`DU_OhC9n&9y?>T#wiAAiKur2Tj{N zjbiSGGGB9#1|oiS+|4l5&TYvRqtl`Md9d)vR0Y33yizqcckGOgAu|%5`%rm4-V|Yo z0rP4(G9`rnZmhb^b4K%STJ89N^CTS>s_{ebNqSO4O&z!1N}9ik)eX21fv!Nm2;Inx z{`9KyQdaVK%{+T>{Thrsw{*INLEli!p@MUCnFNWrb*Bor<7OVa}kw{m(@;X}8ikchlk?96IJm%?2 z{prt*)WaB|(w(_J+2KYaiHfrcwPxOnh-dTFThn~&4|DuqPOeEN520odD>8d|3xx|s z^~gC%BD-#i*yzKIOqNY+XP$(lv7A4FzFZyOL$1{O>j>%b2j?|>4B-+pDehuL?qO)_ zYC#c*^LH8+TYD;HwmKzp`GA<uZ*&@)1ZNNQ6gd_d?y*Y0Q3 zS9#|W(9o7614JdsRE{O;6~{hjnE0{p8o5t9GBP27JqQ#Q9{vBHg);v`T!f3crx25t zMfz{boit4UM`Eb|;l=;Qqq~A1DeE(hUPG@zpwXy>uGoT-k`mN~BcfW6*o^l=^pk7A zIaEUizi@{t%xr= zCcUwE$N5~2qh(K)pewA;KFyL6YdxR`9Rh({_tUzk>5ouScw{>ut zsy6QL=Ym)JPVP9uSnKi5Y>$x5_dO_cVmf^_w>_W_kB>V-cRPCc^c3?bwEbz{VQ1Kp=5_d;N#K{SF*j zX&O!jch+${qDNCqG~EUMjmFdUWO&5AL^%(tA>l3KZo>(#W8+7OBVUNb+LEiN{iyY? z8~%_;EY=>&5n$xmadTCk*x`?~8l#M}8*@Cm61wAq@3vjssD%r4?2kMgbyiK79w>R1 zU+POf`YllpL9f&mV~gi;n~m{}4(Y60O+612Yx{`$Mf`*()sM7vTDfYw8{ByD%{-+# zZi_@+Ny1&9K)6b;bCE>xBur;^>N{ayV}Es{vq|X`5^1~h^FlqJkq==rb?)$WuJ@Q} z&{6w!n>`sG&2snBYkvXPnC(Vnlo+S3#2R$@8Rk>*&^@}mzHUvgSs#K5RwGP_Eq$+v zAerF4KU&>laxyghj#wtOBnUIUn~Qp)f_#n)C-X%9Qjj9Wb;I{dg|?l$e>EL$ahz-| zCgU_+7p=+RYW^1DO<1pjF-W1RK&?bg^a+3}ta%<@>p+*;?oUC|i#d?>#-{7Ot4+6! z;^DKdh>x_g*q258g(`(k+f#%cBO;GBQMV zXE3{6W&G-&-`}S8GLT8do&)*OIwQ`iFi|Cuu|})C=3#`M*4}h@JHa@{%4I4XLTnjR z-bv2y|DNyp6z#8LeX)n;6nr`#BF4!cy-NU_QlKT?D<6qsq19ir`*gIMJo?hrVk6Ms z-sD}yk1EBQfH8!##g&C~8&yOjwpMIpYwx>3Ju&DIW!O1M>mqy*;S7GIi^y$?pM%zt zQ8DJd&U|BvQ-7!G8gGT_OqTZzU;IHxUJ1Hg`}Y?i0sVfiC=lM4kWrf`<1#4RLtx43BLtNa*$Y_c%d`(lK1ELN!y*G<;Id)c-ovW)vtEMb? zDM;j~!fdZ-dOYPrKIf5!LGTw1qN7Gn~Z zrjKf&`6BS?-C4g)zq!=ey_P){J}B)yRAG#L2l4sWE!8n%C)tp7@jydp_YSu5AFNL=%H@s%Iw$;7aP$dAbfj7gv&|mrN zMy4Os2fU(U<&wkP2ZZZqmg5LR8#BZ*ysoE%@~jtM)&1Sn%~oFIZ{uhgKZTDoa$3c8 zx1`(-f%e zs*BV@{IJ$a={K~PC8+i)(_%3?>p8{j=t-C<>5JVdWE=eacVD>J4@a>W&BQA8w@e9t z&fYadR@zw^LSy*uSJ3*FU(0@m@%E{f3_w%iW1{)NQl(ciFmN~N}p)Ynru~IV^%ksHH{Nz_KefIQj_f2YcArowz}Pz^=Pnmv5u3;i=Xal7tf_N zxM`*ZF4avpF2WNDsxbrs-T=v`^CAK&{Xg?P$HM%}3_V#z-4@&VuCL8DrxsHszkLyQ zr37BSK2_@s(rm-9N(cJeI(cOtZx;+jKb=*CeUYE%r*GKcx{&&o!Ino#^Xinh5NP{L zN$qUIC%5+hK=PkwN=$g^3{BndoYB4bA4o1kw|16qOuK)RTHj0Gn!&7lZKCqw`gFa! zW8_hJ7rU}ehR+h{{uuz3LXF%vCl53|Tk8Ch|5o-wnN{AU4EU&lz0q2%1nD~{@6>Y* zmTI#;1z~|uGS7_joW9W9{%GxJ!}p+Fn;=gRz&!xr83*t~uxgs;tp!Cvhb9`MnGfsN zHcN#!KdeN`PqDt~e{wp^Kj3~jcsC=#ZS-}e!>MQeOCyG#55Vd%->0bn&8xk_wv-_(EPRV~nKFd^db z!>)mAmK>>k!UCe}5q8W&V=cSY3D4$Ej`uPd2!6BVjBe*J4ex-}X}uN_Qj4^6v>6ms zQ93a-yIZsFo#vF%5QP&f+MYy2VoTzA1l%*->zjxw&K5z!py0UR9>D*{Ajo~<&N+8r zfP-~I?qx*p=>eJWGCuyUwF2(bN5YX2fguc0DVBF%DLlSIWlZ^6q<);3|KC50O^7Ev zYMNj3vJ8p_Yx|U4<1aOOuBUv@l29}W4OhH4v~z`n496q&R0kzpe#z{2K5cnauNsj) z|8t8s1&4w@NY|=gO_TDu34|uzKxm@x-a`H({YvN$#n~BUy012;ym>r7m(L+}td?MT ze4a(9LbZF4D=&E(aJ34!;bH4Q~V z{Bu@@x)L4yc!B&Qz@2PiDX{ufL0Co5bQdnfsrk>}D0mNNfo&cdup2>8O}ZL-5J#){ z_(F0Y8ll7UQJ>}vsFMnk3j$kZFp5k25a@?!oDYJA2q#C%gAX_T`Hq%s=$$hUCXZrK zrLe8RZRH@+QzFXdM6qFm*(5o`uk&${9m{=9i@ZWbjmXim2g;^R`6XwEmV8YUN|$*e z4QF;LcvrN<9@f;<7ds~oQ;a|5Q<8+jqeH=8wQhkWn@lI(_GZGGPA0ku?vcbZ#kgSU1aJ_XY%lRw3V*}SU&pss629by{>3oqH z?iU0ZtZpJIP(Oa7yltL)ZlmR0ue@>#hJGTM^z#iieSUaaGJUKI z9h_fOfwI4k?h{q5e-Ay+mM}lU#SxI}R+P}4x@8oIX9j^fyZ;52$y|g+ug&~!P;XoI zi?A9h!0wg8&uJdcOMLMI!Gutu2n@b#iSe62BRC%8Ie|_z))w)RtI| zk5f&a)t}NopgZq+xZ7^IjD^G&Y)Tw1D!ntQI*5|rQwxjJ{5x$U?JiWHp4pi1RB+l? z(5dX|S>l5t{zIM%^zh@nCzbOKN#*nDef3ry3-zJfCNS_@k89lP6EGJ1^xnTz!xjjK;64HDSbB%Pd5hkpkM8W z=;6`R=Bw8KI9}Daa@L^HtB$uh_XbL5PW1QtzMTjfJX=aSUUVKbmHadQ^5)@T>%l;` z@TC8-xZY7uc;i1Q%3PrZ6eRcPVl+d0n%Bvydy&cM3<}SkdRsvGfAhru_bF{K*X;My z@x0mjD{Nv_Y|EI+zT)U#TU{J#Y7$%RSrI;SEdf-Y&c4R~-CD4KfUwV>R`_Fm|dQx zW;PZSg+$I>emX5En!CyJ;4V7r>xBSQA3So(oFVL+V*d4p*)i^>lBj)-e$iQ}PYwgs z!`Am8t%oG&XLKL2)@qM}KxJ1{S`^#EAdrIw5`f%;SZ)Dxr;^7-Pv56!mw4uyj-W%u zF{(ko&o=wj&hVmwm6W#X(bxt%w~e;9R0-Z5#<=9z)f;hKs#_NVz-dYN0GCJp%_-Xm(Fp>#6gI0MsZhDc2*9m1pBg`dGmUSLn~kuj87`Fg3>GwaWgC z_ak1nfu`o~^Z721PPT3lhM=XfU=^ft(OPjI>Q_!mKKu^#fUY!N<3#5QuOEu7C&!+0 zx?-5?fc-yn4=;~PAPUv0{dPb_=!zRKSfhrV>*aTaP1Pe37=#4QSyER(Yeb$wj835X z6V+T*5e@z#$hRe-$Kw&j62*L|tI#Xuh5tmZe-042awmB!k6Y2atb-@>BrzWsict~6 z+G9NOiYgHKkOk-dWIFSjo@x^(VC4kO){1$azT%1XbbX}-PA$ZY4RyP-?I#V-5WY~fXGzq? z##a&_E&+=cLn>Nbr$xsyw%2h-^CzQ7Bb$YoQ&C+CWmAY@{cJlD0)U2E;lM}wowLg@ zOutU`?F&4g8lISa|EcTY->s_Z>guZPKFPglk9}f+06$>mgH`ZfXgG`&`%ce}YZWhj z*zaIyOb|8~aCd-#W%_Ip7usCP;oaU}uIqE;T}rI!0h&Q9XHT`a6C8T_b`alLWBF61 z0nQQt8EuQ-V!A=`JZHEyXe8dw$lqMvw6(O^^V)!@i~MI~w&{URG6RX!ZpA>^Jn-wzLE_dm+1{$vwLgnwLzLLHBSUOOCu#GEDLTLTLy9vFR0xgNY3?7$ zRP5X|Z8y4u-2I@F@@TzWxw?`zXua{&nfR%79s;@^?2It1mNe7TM%--&0U#Ws^p;YjR`h}`72nrO{J zk)U5~ZaBc-}gc> z!#=}5QX2^OoP2GG)_Lx<9Q~^uOf!b?bW=Am?8!>gavFQoBkVKHW&8Q>`S^%d$-7P8 zHEi^Qju(OsV-qC)-WH+b0j(g22KqLfe=6UkH(wfltJ^ikW{a2Py-uN&XNzQcJ=gv; z@<3bu#pJvKsg4agT0`4R%KCDNM@j|o{c849>ga9EVFis@SFsoACAZam=ffX%nq12L z8j&*n`N_)Do{z~UpEUE=0*k#ReA#)T>v+=iM3GZ={@;}zG><=tC?YpNVm=bn1_u=c z90||exC2@lgeR8<)T7^xMjtkkhZZ5{7hdW-NtYDeQ5 ztX@H6yGCXvBk5y&c|YL#;h)C5ST7;d%K6aq)n^O5cV<2OJ)aJH8PUaKB2^VAZsKG! z?7UY~yvkN0R{0BVO+xW?Qoszzh1QX`CcELeHGn5B*A!Oe7?-QGdrvkb^`&sYHs7uu z`p=kod5FVVTlPHCzw-9u&{KcKc*3~fQ^`W-X1wOoTeeXGsDA&Y$HWDWlfSzPCnvw? zkALNzG^mb&SsmClGx7w99b=yC&tsm-)%HZ0WNlF=5)_P$vV?ItF zR$v);4a^ogP>a>j5Ac(gGA&>ZX3yJrsU4l+%V7K)ewnUMM%9V29a?9wOv$l{;CtbF zMVsgSt)_~np@FLtR!NfdyvQZ1#)S>h-hFO%SV1gC_*UH@9PWOFZ59`?IIO@XmpN29 z#P-@W*CvmqYlW0YuGjh5|GM?znjv~2UZ;yu)#qn@!*k)xJu}$GyF!2BP0X{S^}TRL z&sJuV$B~8)uNtI)TkVo1R}Sq6no+hpXHLhjg*W5bvs*OJbqbvB#jEU?Q?y6fLCCb? zFqRglpE}lsVtb;Ew^xiDvo6za?&U1H>_@zyAlG8_Y{9dGaBOa}UdQ@DmJ>*Stj=U@ zKgDllF$8Dl*O%MJqr#)E0YP2ce9^6Mvl9~{{5tWlPEt{-=QY0CwoE+s#rm+1#%FF- z{LCI%%s@fof?jWKtW*l%I3c8ViqupP5=Vi*-qPGcN~Dj$8%%yPn6xr-TuS|0@kG~+ z6c%>8dL}n)x)_;dK)`C(Z~pCAO|njHB%$pch{ER3D>$kFO$`yJGQ8GAxFX|xqEryOpmN7dT?gtH@p2;J6B_Ld{R-ps&VUG&^KpT8djmGw{T+xPgG z*r?P=VD5`Wd(%JdxIwtu*|3_zVS0OY+_BQOtdSv%rgbbJ>sF|X9IKT7vl+J@exlm( zqS^!97J!thKd0f{k^7gSbUw`7LXWxmLN2P89?8l^R)p)V8RAu=*&X)hI*+t%<@IiK znN!wNEGP@#U2Zdsy4K&I5~R}^l>zL)Tk)d-WNCMY#9jQopuimmv>FPd!YujP#aoZ<)9QM_Bg(p6(lD6QAr_)s5Md) zi@(ZWGvKDnoKHKFH2HR=ST+04!E1JjQZ?esy>_|lG_r%khO9kU-hM|c8XS9g{4r6- zs6I?S=@8NP!}7<}`!9A3U%7I9f_>jWG;J#@c#<^vK74DZA9^;gTYD?R#CKr*p6Q1P z@+-IPiqVki`mEqr}ID# z9W)y8u{iF4Rp3dEjp>Yg=SIMQ^^bH{`j12dSZx_Hb3hj$M;@`0y{a6RDa2K%53f(+ z%Qe+fueUVJ>lWxkah1lC>TJ6$_Qo|s&TUY^puKMlST%IL=iO@qi8_5bsb_}FrXD&w zSu#;Zl;JMjE^G+aaSB6Nsh3>ZsD}Hji;cC|fyTEcB;mTo?4GSvk=Dq_&8A`e!%*sv znj%>-*WAcSyv&~gr({|0TjDgSxFm$a(mcJ$nZO_dDd)ODEywcYm8z_AN9xd z>yn?=ayLit^9uBt#mwq~0si&F^>$G9*oajlTC_r)LLJtYbbS*KZWeDV&)#(n^sGAXgMtdASl}BXo{blJtaoz!w?FEK)go-!R9Vc3aLsH?y&MyPSHFqWu0*zJ0QaT@SHVA{UzX2njKS!{U5sh{x zDMO#o1#^`H0R!vfbe|D#{9t)bpz)Ae6B(54YSi@_Y(oGK1Zke6jK~J?KLy!l|^s zEJoX>y_b&ZEA>5Q4Zx);xI z=JZjgJ!3Xglq#P5%~%$2`s`e8!tPXjzw8>@Mv&a}A^vaU7i2iUZ(rZ}khz!MZ!fJ854Y+|S(QKL^r(TD){_ z7Cr`>%Dj$FQ)YQ8UTS$0OtfQcDsG-z`4nHQ^PVeHmuR1mDfLD(zFC%VcTlrQ_gyLj z(LiIW&=BrsQj9nlwlFiB(eE_FOQ^ zc<>}dcKlu#Jx7NBr<PG7X*N79DWtqM0HdWGh z`|Cj(KTUlF`w&SK85c+(%Uk-3LAVSuy(PRNheVUiJ)DPYpB^VpOF<|LAAafVfN!Sf zV|%7FwfFh8QV;VSHVR>v;EvOO#UIiyJb|?&K23T&YAPXMV8OoKh~0p?5roWX z!IATB)2RA(9m>ZyF9OGE=LegY+{!UxOsm3Od$N#_`Is^ABG!zf2ONb?Ix)v|=u*{Uo`XG!mdXm9qy!72` z?vG40&gdy9Rbpci(6Irl7T1!}tl z)v*2a4WASHwegrC)2hNhq7u8&@I8xE+|UK3f;fdhhg=ET_}up^vhXDO3U2-p^n&K> zJ=y}_1Y;k4BpRo@LvSX*=EOGr>YfM+_cUwE>7;tGuWlqIn>0x?^zDVwRQapAjiD}D zt6%Vw1$$x9sLO!WxRfr13CVW`XN&2sU<%3EaeD?#e%w6zDqAb9Vzw(7q}UP}hrObQ zeOCBQcLgLs*ZmOR8S!#WW+iR0xa@PU~*!aqO)ZX zSIIcwqr;BUuV(xB=3YpTQkSx$q|T)}ZU_%+e5Ku^++u%(x<6NFhflSfh;wO-Ud1AQ z-V-9qFpJN6wjCZKfqGkHJ)`WnnKXFxyF%|+>kYvU{F9C0Yeu2rh!gB5t`I=BP|oPt zyGz%7vysKB7O(=BL;w+YE8z3|w6FLrA_wt_#d)R}iM}JCW%Tv1$nXh@p3bH!WnzD6 zVPA3;8lfR_6l1$>zOMcmNixN$jZ{Z|g*x-8jcw&D7Dm)MwaK+QYE*(>=OJRTh5UYH z@=%z^)T<%CQMbfTXRWCPdE4Q14eb^Bqs_xRfd)vgulaz&-dNqpi~>lROGv4bkbE_; zdD>K-s(w+Wb!`;{r>)gg6YO1{Y#;`O+b*|a-qvf@L5D9UQp=E*n;FFy;>QRLgE|I! zG)C#$4PFJbLDq2z zsQ^UglWN-hqO)dTO`acv%B(NV7iEMXQp=f-DeyIBsM!3JSKlqN%hh-$}_$iNNU#WF; z-O(g!1S+F5^Mm(Ao?Tl<b8}W@OLd?nB(<#j0By2UT;)91az^niD02Qk z7}nkv51ju0K+=GvKNa);j(@nL$4u*TPNZRI{ZfkkAS%g3tkNH}8o?ZIuoO`a666T* z>q#CeOri|D6H0B%U!($wgh6zhR!du3+*=r>X*r{=8Te1?M}o}AU#zQW0{?_?U;@|& zJ*qVT4)Z5`Ba1;cXtLsCz{N8kqGq-=f7oS$1R;PaFq8N!@iIs$>z>4AncARov+Gwl6;)U%*i@{4h*)Eq^}2n%tMQ{{w=He zQ^-w599XW`C&x#`L?b5yu#Y+1f7NJiC9MWgc1r$Eo!Eru3XFT6b~S4Tbik&{kZ`Jg z)t_|ey30n+{d=GHb53JWMardsO5g4<`03RLklFMvp@uuNfQM9|7O2OfcFFvF``*~4HJX4i6{VyLGcP{NrdYFL2c~wq72o%f;go5|*ul!DC0`_Kz*v1XR@9!R` zfW3hnM3vna?Y#f#pAG<-fp~0719#95X{V0%=A<>Q93-0-QrlKg=ELx1XW`^; zDItIAWcOw6^vNp4ChtWlUnW3jObuq9P%;JhHc#^h2AxlKodx)S`&_^^90>P&@Jnba z!?S>Y>5y$y^m&^>CkI3z|Eq*Atm2&138jCoMy$fD*SB)vrs4Kp<}LD{UK@!@()8nu z^6}6RW;SUDc7<4WlrA9F^OtCU%l!QMxPoORAwM!?+^*31DCw*%N{vi4q5R*C#HBN# zE?J6{gb_6WPE6&P+KJ_9E~F$LZV`^%@uDR%`&!aFT6ExtlXrpXwY>&%Fa)n+n|}S) zeWyr7TWroYC;UTrWo{>5{ikC1dqvZ_(zOz!8iJPpL+1W)5XehYM~2 zw3k!!u!>-o)J%i^nepE63<*dZ0!u1U#TSlspESozh{c%gt!pvmQv^(h?$0`*Xbx;$4rlW@0=FVgIG z9sS&{{D}e1WiSLs> zIqY*=o2reSJhdsop8*4Qt>o4|N+7@%wUG_`GcO{2LYD3?&inVydy6--2?Rra35nfXsk1jvRM9veP0IDpPX70L z2PypvHZP$GOmP!05d!$l66b(b`6Xw?G$5zPQsCb*>T`0xe|+cZfQk^~jTy$H!=8(?SUe4gW>CyH~lT;Jc_td(&c|`sWi0a%1t@TEE+8a zR;T&}oQpD?4&6zB;oe?MP{W2|0&@MqC;vK^8Dw3pk%1&kRt5BOpVY>J;2w`V^= z8kTdq3DH2F@UAo4m=COA)x6o~@9(f7fV51&w(PG=`hQQw$16jW#68y(lS~7B@bIT| z{_YFHtMAS`9Q5`e^-M%5+o3DD{eRsIkb8r_j{Z@R132jkO9D{jX)@{+r zBDF#53}5^Fg`+lUV5R~II@w8ei(QVsJKxW~;rc_x@mFR)vh{D|_OB3nCj6i)0Ey~e zDZhgi@Qq0e*qyi`hrI%DCA;~lPAUE(*N|_;##F2yfoZO=Ci{_!nrL#2e9_T^3D;^v zn3M1o8seHJDe4(x&s|?~V$Q7oDl+4G|ER*IKcib&VXjQfscEY-ocbknc59(aygPf9 zQS~*BEVE6eB*fewXC-k#*?l{`L5Ehg0S@{WS;=j$tPx>i|Z=RZ36No5qQ z)&)4O)#-I`PFP9)bZz`g6sJxaHFoO2*9o^}t9b-f)1gYsr}AJTQ;Q0=9e?^vH;CE3 z-90!G-BHbaaZEY6`0uoa?zsN>nq;N(0T#)Hf8_GEi(oJ9Q*ke$+LvxfIv|{SlSt^; zK`l|S(ug7WjUJt?1`L@5ftA|BAq^76mpqzEsFif3QLCgFA{yhN>dIp>61u<-vk{%I z*AIk*#7Ek|{GCi)+hn&IjzrU&4i^G$F4(S`tTd1%3&lPj80OZE2y%@58H!t{r}4RQPXt9LTj zi{CnKXO6`bh8mT?>|5Xv zRE;Qo#8=iL;s2EjK#y_>_!)4o=N;ek6$U+?_g>SkU5mF)66HFu?)!?*)r~2Y-`L*x zQ7z|sWA1+^c>);)-EcU0I}foe#>2h!*(l;0ZRk(e?psCiMq?9r>>?A|#n$lkmQh#Z z(nFQZY-oSQOGN*h@*Q{Wy`)WpMl!K=5Sf}jxZ|$Xuh1p%RA(e4a|i(7uT+x=WZKd> zNF-~zUJI8WpJgp|QZp&{a0*WT^(ABq(yePp5-V;n@kt1s8a4JyU-rH|_Kg8!A8)!- zxUCZ#(c`0Q+@LD7>@@J4&gy6Uk>6C`6g?(B-F81}JGzKmN6bVJ{#NRkz ze=wSkyE7Z2L+M_fcKk^yOkXjuF!0|T?f6}l?kugROTnI)hNouJ{;n;A2-_v`o5Yzk( zxoc$Yo%zA?zk@ZbT(~})jfjk6*0Q9$SmS11G zpJa%KfahoFf`gywP1-ICnrZvq&u@9T9F-gxQ7Jaep)uOF#fSP*V0j%^eNHzPNj3Mq z&Ik2qEA@ToRN`&v#s)z2jP~7z)oT0A29Xy#D4`S@4y_JsyeDuoO}aT~dyXk9fAyek)3v+s+0GnQYM++s5Iit; za=*}>HdmtVaK5pIr$q!B+w%=y>cIe+9a7n97kyv8!P>VzNYueUq$jL0JZLEDazX85 zpnfnJPQE|Oxv}|S?7nYY+%8{4#^NqAMY41Imi_1{jt#OQg04R`AYdhfRV6XtVmkTg*iEc8yq+%x$G z%eNG61NV3dv*Z<$4UE}f_~xkltA1VSsk^?3hG(`9aI_Z4PzZ0!KAZTS4!L@&msV96cOJVML{beEH+0=DgRE7M8+i)(lB)kk4r=%czVgVF(^ED2Eh#wio|$Q& zGHXNB=4s=zVC&G%5SfAbvBctM5`qN(#mJoD?)4KLrpE=gTpcHb?pS^gpA_HBaXAsg zc5P=B_G^L6JE&I^>ErIStEBk+jWYQ7y>@GDqyYGfV`*$vK&juSubYNO{;8Nw$I?je zIClE1&i&6^E%C2-5Un$B(dVx&p&-(#(tVd-eQB^S%{eq?ZrGmDrKUAMv(!}`;+Ar` zA4XnumNb)i%J21}%m|^U9O*8Z!d@umyrO+WOQ^Y6}9 zs#mwkWE!O*2EP-|3D`N;NtNSy=HHfx>?JTW6@m5Of9DTPQ3M?}$-O@ECuJ%-xOT^H zie)?xB!5uesqsZ8W&T>1bJFk|jg^$lXFErt|1bGFH_6~$0S1g$ai&vGsXH7An`#{$l*WuUb z@A{>`{lAL)uBfKEw%drG4N*iXA_5{J5C|Y39aIp|AV^E72_PUM1f+!C6p$t$m{6oj z2_+DulNgF9AVGRlsx$+H9+0a1JHFp{{xi-v7yrc>#=6vRiDYf$R zu<@U09Y@daaaX$poG%R&cEry`IbFCX$7`g3pluz&#C2D|L47B z+ET?rMEUeO)6t2~-vuWOLk8TQnW}E898uMs>$}k%Om`K_;S-2i(TLL+_SrPG8C&qY z*io7g$m=bv*QS#@iQetg7<@zb*iiAE0u?yaN_Frl^CejkC?Sj zgs&I?n0bPy3;Oe_xGU9$hlr>0lk+i302=&@orQGWMft|-8jIfA;U0zgu(Ca>gGns{^FNzt2Yn0|5a>eex?4YSoP&6-?NO^zJge1UW5G<)+aP2Hg}K`OlE{&oUj%fgY(`(Y)CWG~%jSmWAoa zPwPS-)@IGpu;L0gvsuT5@A!?)hMd5)W-j>1qs%Zz%G#2)5(GBwXKuLGa=64@YTc-nXSGQxv zs->u9jeXBuu@EKq{QWA&#&WZ1)Q9BcF-`Qc%Kmj1X>_QQ(s1pI@>8L{8ttF-I}Eo; zn2&Xxug7b2LXTX!_WIEvTCxH5I+-XxYjuq!M3N6kvwJ>$;)m(>iJ4g- z)G{U4W=e&`3$i@+erZi6jHZ8s4KFIdu$a*$vX|^W?wXjXPQqrdB zpoei?V!XBX*o;28@`evJf@Nx#KVek3$KX&je{HEFn9E<8D3R;$jBHD4)b$VDy(7RP z#eX&_oWB9as(TC6UnMw`Y}Y=RSA3Mc$gc;taQcpmc+kDtC@Y(-D*#yqH!T>gF|s*r zy(G2Zw|WZG2r5=$cHBF^xv{)*5kt8mu|9!5a_-`B7<39O9{N7O)0H++U2z$(5-FfY zn5+yCeX`nMh%J@g!(t9=BU4^DJo6wOqU3dAfZozA%3J#aSuq4<+Xg*9alo$S?wfDg zDM|ORaP!e`N-D7AM63qT{8amAI0e1@(U*5aEMP&N54s;=pVO~>=ZHth(w`q2)L_Xa z8NS{1Aj-xM{+nL1@@zCtN27-|k6Wzjh`4m*RvBM+3FV7y-@dxlbo-Q;-a46LdT7rp zeg-7=s>{qPkmeUo_aB~9&{3v*8W6QaqbH3euGeU{%&3KoI(wGGc;%|)=Og+>+6ofz zeae%&UGE}~^1QM_!f~5DUDV%s3pzbRFA~%4FM$@q-$j%w>m=-CSJP6a0ePyn+pJ_R zX=f{BNYOjRQ_TyEiDQ?lx7@5S^h3!{|GF71*)Tuj);`4{fW_G*vOu-7$f4QNJ-*@P zOrk_nuVB+c!~!D%FWku zTi|vOduQiFn-WMBkJ-Qlm>R6fbk3VrangRjBP){o24(t~!%VW!+@C#g;9E)(z9i3P z4y|3ci{Zn;ZP?~YGCO=Xiq4eLR)>P}OPiVvyJ7FQtA4ZR=;*`$GB<0V6i6(G>WSH` zlbi8N*q0j!Fc09#qVJ|4DJl}`_|nUm<1y!3O3UY8g;iLG_UWL=4z1tO;25DzRv;ap zBm3+tK2N{hq1fwkY|6L2qT2a?2K8tq%cwq4rKI3k=M3BOC4#(*58R<<1Ub)aB?{2;Jago#@J}t zUH-InZG0+3QjIWqDU5>98a-#88Ofw!?E{b3ZX)2#}v)xp=ufP4YO&YEzV4V#_mo&JY z(|4&|4yp49MM30)>tLUn zF0)#1ojs*y&zS9TVpH5~x!vN*SxHs5+$ z8*~tNbl~S5Wu1e}wCs4RF@!S5%2>WsgwP{jyb|;EBwN_T#_nAy%b<0x;PPr`IP-pr z%r_x~=^3x1o9Y+cZtHH>sr+j?VBx^b;87BXb$y1mWuZoQcHNKIKgsY{#-^)^Cff(Y zG7l&kuPQfL=yJz?&GvY};g@b5Elv5>A(-hziKiG#evjgVghDujQRH_^Xe2D zlWtDmx$U3z8FC4VmdCTO)!ytb^G@|OxRmU0|D#dhx0XTaf`x25EX%Lyb>rAXm98{G z<^I!te=Pll<}z?PID1 zp8P(VdT#MfA=fLbkxc!vy6FxL$^EhL&w>l^It+n8|6`Y#VwJ<*NH7V=3@wa{3_P4s z)7e`kMrCe0Tx-J`+*k9Oa= zeBrN}=8;&%FNQJ@_ukd#6Hi|#tJ=2@4`A~dUbNC$35aS4Z01f~A0-JSrSdo6`rT&$ zpwC*LNg`o}L&3D#AiQ^K@y@4P2O2+Fn+x^*w?UUdELoc1FhJu3YWkt?ur(aCJe+hj zsqYSVSh@A^N8`#7VbH774EqehM+ot-qDMl#4ZSrSBMmvrFE;@Q5Dz*%#oS|gP1l*X z`6@f$Z)9KLe{ItH`m}D-5zxy>OjRE;H1N4JKoW$gn?`ZA^t`x;f{R$lx-X=l#g0H) z4QlV+0yVuZH&mb<2ZE!RQw;Yd5PLH;?hH=8loW`>yEgP6@6ZlVI9cD#(- z>{pp#>ZV#NIfhKtRrT8s#RN>c>P+Ict=Y^eiYwuE`F%EIJ3M$@6920f_=HWA^z)&#u}SS8K;MxBj+bFB><2eAt$B4?<5=-gcI za&|4?l4}n{=z+&EEN;4YJra@tmqY!Q?S0{x)0~3a0M?Kd5BSq%BuzH&T8&#Z4EYGq zCRW{9$z&vD0fZ|ER2dpBr2&VC2KOE_q!_nDMeJ{!hdfde&exAlv=k|Qeg8D=%|0Rakti(NE7YZkQ{Z^4L zRgr?NdDe4tPlPP~gyhv5Gl1c2?!D3O%58tYD)H@${IXM`VTQ-+=k=J|E@$=YryHI` zabq9!GW~_zLHJ`p?Vvg;p2`uMv$}JpxfqQ^!zbk=SwL zSaumAW@JND2tvWr@}*jjxk3w_Ju@0mzl}24lezK}`h<1zyTm5Jw*cfr)cYU4B4n_9 z=1YR0@ZP!LU*PI{Vm8l!>t7Up|%8C;^}z5CVz zVR~QoL^^=80#E{K+WQ2~?YTq@q#!VmtBgi(W|lErfVLhnuQ|69(>pqLpiz%8@+ z`8!{~z@@_)17ZbIk>w7rz7s9@D?lL*?#q2aKPY zydSRuC`j>#J0@K^jpf@!%=k%b21gOH6^athPS{^<%u;^=p9NHoo!xw`K%xS`P^$yL z$Cq)#w6fK2<+dBW6aJ1*!}|~MWet8CrH6Z8ZWm` zd~#GiG38@x8qAKYXt5>1+dS*LXeobmj^_)o*9IxS>T?o2?aU`+-;@1UQ1^-zIQ@v( z4kP_hN^aAi?YdP(LzMV>iS_>5xDLri6@*(0$D2du3lKB|Sid|BVBf03ooC3v;jv#= zeq7dVy()(*$_5)Z4Zp0{v2b6Gw|@(mc63M$(KsS5rbb{?onnN@)i>04BPwlZDXO&x3N#$1|9~`WEz`U8+2? zUz1x_Bpj$IXaOCYJ#=iq3)xcH%`oOm-z&+~X z8RLpkQEo$w-5@2TIak}NZ|EMs zfuB47R*p1Vy9il7j$MI2w9}sNKTp(IZb{>t%-b~Kxvw67K<+@g!GJ|7z|58TkXh}e zn$^P7j_xzYa|!>FM&0!<;YM(k51vdVFB-5P!}1w?pS7)xL8@YcW)J=NT*bmNKM4Nu zD(227bs0v70G!rT`e%;YN8qs~J~8^oI~l@BkuYE;;Uqd#8A{W~fRr!f%rr^9Uh4PW zLrE#Hh-nkBQ9<`JVJ>9>bfql+Tfy_qBK91Xzuf|m&>$Wt zKUCoFjBR=x3jFTl*WCXU1HA^~=@S1>u>v69zIX(IQUAM<} z|1MtqKd!{aVi!DwBOu|(-QYg5NH?)P!Q@x)vSzxzn9x;+kcmM z!{bsX5V-S+UvC@WKeH(g8HHk>-i--sIJ)BPu&Cb@v9k04euZb&qEps#|Lc)r_!ve< zrl(gL5C24^ERy$(2A^+MYuu(}&XM;P@%hdHaXXWxq!Y`N*fo5b_DBrFS5s%d7JM+hE)QUODr{K z6vGp$n?#o8lC6-U4x+rd9?@3R&C;Fz0o9(}FWvWpBHG8@bw}6synN>^Hd>xB8zmap zJJCYp@G9vz%GIAnRLmi%3LQ%;w2Q4!*()@2;5AFNxY#Z~c9y20@bNl~9fq1Ga)8Wu3JV?||mBxUwwM``p*6nJl0?cvHdw3oFM_iYEG9rnwp`?alKG@+L+h7?NJ3EQLMx2D(2Hq*{ zFI5UpxsVoc?T3ccdv4=yZM<*ZuaM`>`AvLcmp;&QJub~9E93j2{b%1%9ot*LT^ITk ziP1#CvcqVrw&K|msP+<|VRSF;DsuKjG3V~P>ly`+x_D*US7&rx>U@2?WrbWbad9-# z#j&k1gw^!!TV5Nh)QWle9Rm;k|O*EBE zgt=iUl&RkV&y?U`4!yQ(54pTe^7H*R>p4|<0{DyhJiDZ|k3HO7_jrI(Km3hSTt99q zU~c?43CL|I;Rj5KWK`)6yCS7(iqC#DMHTEJg+11Oe7pb%3Nq6BwTD}r;(3+5rU8Ae zT6yr{p9_Dv&y=!Q{+0{9u)1yb+*YiDa0g@f>Q1WH|Z?%~AA5 z^pJn`lOaO+kDT;RdjzSGUO~W*UJOp&&n}WEwsQiDh?8hfcyhUi~;`!dtE z1~)BDQu>?lh>CJ?%J&U%9C?>uk%;)tu0;tS!!Eg)RDXFnJ#f=2*ia#md@-z zp)?1OOjQywQl{5G#I)KH)6omxgp4u>eU`PCt?(+Mv4jlixzQB|39EMQ8Qp$Gl&-Y7 zn+P^-oFB$V@kan2TpqRUh8KgqMQiUN(nRv}XV&-Tar3q)`}aBG-?!H5e@MSg2HLYi zCVnU^!c%cRFqfoHTdF$#P>yYHJ;ZqH&hJTybeB*VD*J4K}W6fV8yfKYN& zn$DD*eJAA$j8ZDp*C4*mfll%Rq|fDy{|H#LS=j3fp0moh9lp)P9XA}KUzbaG29pN! z@71Z7w4HLQ6BIzqo8_YIgjbKJO#> zEe?tofuYV7XYgHw3@Jd~)!r2`Gg5tqb5iNCR!JU?p?uy;3P4_Lla}v1wb`s4CyA>+ z*>TPIQ|l(ksa0BTZP`C`OaOIW&1=ZlcF#W7zw@+clXD@xuq#K+k5CvYzTIUuCS((+ z?|`I4u4KHEU~m4d`XDdN?~aH9w;T?LYC@_%jUMqi6?EqDI~EtYiJ;qCUyBoZII6Q6 z#xmZi78t;RD8>GpY>?V40dBs+FURBizC@$mBbb#nlM4?xJTx^$sr}l0*$dC zV3y+fxxCgMS6m{-ry-NCdk&)>(};Ked~QF0@le6B7p)uRC$+qC*KV1vN$fcfG%4jHAXZxbOeY5kJwuIiSZa5smP(in)7;m zSB3W{#mIleERE02P$JyyKlN?&k<{XTLD&0lWL0i`#q%qjY2h(}%bG_4eg}iaap+xX zSPaPLP_8Wcr{~P#%d<|qy zyY2E|KB!tY-(cn9NlkZjVJMk7KbMt!YrGhKKPmZcmY5CrmWKYn$l)D5DVh@X4x?vP zHW69ZCv5$?N9iZB&j9KPg)W(F`nz>Bz;lg8EcKLH~Mx`ne?SqF(BAihA(r*x z*{20dj@9NvX57h3X#?ett@DCk>f;8)z8?MSEb$^Y;co1K?~G-C6P7HS`~c4>Y2?$$1IZeNB7f>t>IUUlq8;z< zVjk9t4o79F?mlw9!3u5bj!2Ag?ytP+(!;-6evoSHcUH4_#rq=LNJ| z9*z9`-Prk$J&B$h(Xs`AAgT~rB)vnyd|O4*_C|%LDj1QRHEY;_;NL5?6~-+rO*S50 z+vSa*+#miqYrjY`ve37TvpBR>j=bk(MWseA4juC9x$Scc62;T{qI~;;11&S7I~qBX zXVBx+E%uJi;bFk%64SYEp*CpyK=LPSfp{P&abePm)VfvV`RF2oc36IZxK23TVuDSg znNhL9?bJPw02kJBwb7r#$#`(=y^?+0GvC0Z5zDB)%BvIJ`Tk3HJ3YQEXRicB*sS+x zutJssV;RT0A!dsh`&0%yXWi-Qh^%1q1U2!Ltz=9nlAy`1lS{X)lkoate&klIg;L;Tna zJm;G}R||E^Rb7vwG)@Ag$Red5!4S6cjAR#j}| zL4Kj%*;LX#Z!0k67*P`PqR8qO?}e|Q^@z&P&{eu(66Wj%1@H_hQA2an5weE9+HyFAMc_?Oew`64mJdH+iNqU%{wRkFs+AwM>Stfwf7rz-@o4#}ew_K0Z z9`q1NF7s^s#4vmdF~~NcnOPM|iIYPTlnnMzVpeZ6JGM(@VHpOlPUlNyqx;()-^a5@ z7^FN&U4p`PNScL;~hrM8SAt#`)Yh=jvsTtReE~Q5qb1{*ktTkVKd-B1hb@8QTmHEY0K4u*G(yNJC zW~thz;{8u(lhnkZ(#EP0k4B27gSMN!-|sSj$R_itV;5%Cg`5(VRFL1ad2J-`+AY1f zZc^UozTa!kjyTUzJ6_=*47>WfThhHT_7gCf`sTMK?sb_g5&!X? z{_<~>rmI?n3k@G7JU*Qk$}T8+(oe5*2H54u+c?WJ_~YW7;TZ9HBj9-0n!(f~2nY{! zAFA!nsz-0if|)^A>0garGZmhV-2Q1XsMQ5Ryf*xyDPnEuv-0D*XsF{`Neh0HgkRvF zwoFY+KctyK^-aZgYlpSok|MGHGGM>$|En=?Nq9763d+Z>8GJrB{c?2PRyyL%j)h`D`IQh(pJReB`1 zZ>o1E1)PU)+4oGZByxww>BEomUBVkvPnZajT`IuR>;CPQJd9lDg!O ze2M;BLF&^s-sDLqa6RsnCX!J`8nj34rzM4jKBC(;)sZC^_>9S`pDAU zcWpmXXmfkj!L}*_&aTc$%3alE#hGH0M)j{LqjT=Ndwlfn#-z7De+S6=WD4K1Mdl5l z7e&_RylNYe#C)rqml|- z8m=AQJ>^m+;@x48N>{ZX1Az`yo}bf$SK7lG$kncnPVKtQhFhk*5cH^6o+=n0SYy2Z zLHs5YNFo0ANnw08_O^*obNrVXygW+WQlk1m*47NFl=-VhUJlP!2++2LBHpN)wO(ll z5UA^&7n5ERcfC?dJ|&XhKnIKu@L8tOq>{nY_1?}H+RtYpN==W6%ZST5FWPR)Ck0b~ zUzDS(pl|D{4t)gJld^&oKDB%5=IWy((tY(e_VgdHf>x>WF$)mDHw^RydIeCAJfZNZ z?_5ztdv;6!{%oqLfEnR`O8zPTpS&-2Z~6VEB?G7Go_KBmd;LC_T$26n390<_ V_oMWV`;0L4zNX$?g1YsK{{qVPsw4ma From 0fc5c1575c45368487396bb4cef1ffe83d54c36e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:09:47 -0800 Subject: [PATCH 200/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 89da6e7ecf..99428b624b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -63,7 +63,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat | Alert status | What to do | |:---|:---| | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | - | The alert is a false positive | 1. Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

2. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.

3. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | + | The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
2. [Suppress the alert](#suppress-an-alert).
3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | ### Classify an alert From 71ce32654daec644b5ddbd198d5fa7f167bacedf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:11:16 -0800 Subject: [PATCH 201/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 99428b624b..65a56a8421 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -85,7 +85,7 @@ If you have alerts that are either false positives or that are true positives bu 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. 3. Select an alert that you want to suppress to open its **Details** pane. -4. In the **Details** pane, choose the ellipsis (**...**), and then choose **Create a suppression rule**. +4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**. 5. Specify all the settings for your suppression rule, and then choose **Save**. > [!TIP] From 5db57d8657c4b511930d491c3010cd25ef049736 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:11:44 -0800 Subject: [PATCH 202/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 65a56a8421..3cdec79594 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -268,7 +268,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the ### Cloud-delivered protection -Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. +Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus). From 98147f674b436cc6716e980e2869d013fe4e21bf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:12:09 -0800 Subject: [PATCH 203/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 3cdec79594..f749263f1b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -280,7 +280,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)). 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. -4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting cloud-delivered protection to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) From 4dce3eb74897b63e1b9d8093282a41702e395c25 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:12:47 -0800 Subject: [PATCH 204/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f749263f1b..731967a11e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -300,7 +300,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. -Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings. From 37c3f8535612fc56170dfa2c61bdf3befbfbb465 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:17:47 -0800 Subject: [PATCH 205/304] Update defender-endpoint-false-positives-negatives.md --- ...fender-endpoint-false-positives-negatives.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 731967a11e..251443c99e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,16 +31,17 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution. +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, includling [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). -If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: +Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives: -1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) -2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) -3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions) -4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) -5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) -6. [Getting help if you still have issues with false positives/negatives](#still-need-help) +1. [Review and classify alerts](#part-1-review-and-classify-alerts) +2. [Review remediation actions that were taken](#part-2-review-remediation-actions) +3. [Review and define exclusions](#part-3-review-or-define-exclusions) +4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) + +And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article. > [!NOTE] > This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md). From 2124e871d4e374b3206bd09300c846ed9e118495 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:18:18 -0800 Subject: [PATCH 206/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 251443c99e..9fef03cef6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, includling [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives: From 8c5574fd668f3c09831eb4f953c3f0fa40ffe846 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 26 Jan 2021 15:23:49 -0800 Subject: [PATCH 207/304] Re-labeled code blocks As written, the commands in the code blocks that I re-labeled work from the Windows command line, but not from the PowerShell command line. --- .../microsoft-defender-atp/troubleshoot-np.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 79cdbc3b60..05563e45c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -86,13 +86,13 @@ When you report a problem with network protection, you are asked to collect and 1. Open an elevated command prompt and change to the Windows Defender directory: - ```PowerShell + ```console cd c:\program files\windows defender ``` 2. Run this command to generate the diagnostic logs: - ```PowerShell + ```console mpcmdrun -getfiles ``` From 4948f6d7dc91d0958c655165d21a17b11b80f142 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 16:16:46 -0800 Subject: [PATCH 208/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9fef03cef6..784067032a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,7 +33,7 @@ ms.custom: FPFN In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). -Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives: +Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address them by using the following process: 1. [Review and classify alerts](#part-1-review-and-classify-alerts) 2. [Review remediation actions that were taken](#part-2-review-remediation-actions) @@ -59,7 +59,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Depending on the alert status, take the steps described in the following table:
+4. Depending on the alert status, take the steps described in the following table: | Alert status | What to do | |:---|:---| @@ -69,7 +69,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat ### Classify an alert -Your security team can classify an alert as a false positive or a true positive in the Microsoft Defender Security Center, in the **Alerts queue**. +You can classify an alert as a false positive or a true positive in the Microsoft Defender Security Center, in the **Alerts queue**. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Select **Alerts queue**, and then select an alert that is a false positive. @@ -81,7 +81,7 @@ Your security team can classify an alert as a false positive or a true positive ### Suppress an alert -If you have alerts that are either false positives or that are true positives but are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. +If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. @@ -104,8 +104,7 @@ If you have alerts that are either false positives or that are true positives bu Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. -> [!TIP] -> See [Review remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation). +After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. After that, proceed to [review or define exclusions](#part-3-review-or-define-exclusions). ### Review completed actions From f0b5db42db04991d4d0a921afa3a23012134e131 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 16:36:30 -0800 Subject: [PATCH 209/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 784067032a..18ee9960a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -104,28 +104,26 @@ If you have alerts that are either false positives or that are true positives bu Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. -After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. After that, proceed to [review or define exclusions](#part-3-review-or-define-exclusions). +After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Specifically, you can: +- [undo one action at a time](#undo-an-action); +- [undo multiple actions at one time](#undo-multiple-actions-at-one-time); and +- [remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). + +When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions). ### Review completed actions 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab. +2. Select the **History** tab to view a list of actions that were taken.
![Action center](images/autoir-action-center-1.png) 3. Select an item to view more details about the remediation action that was taken. -If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. You can undo the following remediation actions: -- Isolate device -- Restrict code execution -- Quarantine a file -- Remove a registry key -- Stop a service -- Disable a driver -- Remove a scheduled task - ### Undo an action +If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. You can undo most remediation actions. + 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select an action that you want to undo. -3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.) +3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).) ### Undo multiple actions at one time @@ -133,6 +131,13 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. +### Remove a file from quarantine across multiple devices + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select a file that has the Action type **Quarantine file**. +3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
![Quarantine file](images/autoir-quarantine-file-1.png) + + ## Part 3: Review or define exclusions An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. @@ -142,7 +147,7 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi - [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) > [!NOTE] -> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. +> Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. From 88c2ccb91f9599910eb8929a0bbd30971f2eda0f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 16:38:56 -0800 Subject: [PATCH 210/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 18ee9960a2..f61361d92e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -182,7 +182,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: +To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to the following capabilities: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) From 5a95a0a2fcf9286ed70efb477fd1cfa21e7cae1d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 19:12:31 -0800 Subject: [PATCH 211/304] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index caeb8f45d2..780fb5a960 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -117,8 +117,10 @@ When you're done reviewing and undoing actions that were taken as a result of fa ### Review completed actions +![Action center](images/autoir-action-center-1.png) + 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab to view a list of actions that were taken.
![Action center](images/autoir-action-center-1.png) +2. Select the **History** tab to view a list of actions that were taken. 3. Select an item to view more details about the remediation action that was taken. ### Undo an action @@ -137,10 +139,11 @@ If you find that a remediation action was taken automatically on an entity that ### Remove a file from quarantine across multiple devices +![Quarantine file](images/autoir-quarantine-file-1.png) + 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select a file that has the Action type **Quarantine file**. -3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
![Quarantine file](images/autoir-quarantine-file-1.png) - +3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. ## Part 3: Review or define exclusions @@ -352,7 +355,6 @@ Depending on the [level of automation](https://docs.microsoft.com/windows/securi > [!TIP] > We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle. - ## Still need help? If you have worked through all the steps in this article and still need help, your best bet is to contact technical support. @@ -365,4 +367,4 @@ If you have worked through all the steps in this article and still need help, yo [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) -[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) \ No newline at end of file +[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) From 95b12a62beb0830130ecb66f9d3e8155e26d8e31 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 27 Jan 2021 07:37:27 -0800 Subject: [PATCH 212/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 47 ++++++++++--------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index caeb8f45d2..851be0216d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/26/2021 +ms.date: 01/27/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -52,7 +52,7 @@ And, you can [get help if you still have issues with false positives/negatives]( ## Part 1: Review and classify alerts -If you see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. +If you see an [alert](alerts.md) that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. @@ -73,7 +73,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat ### Classify an alert -You can classify an alert as a false positive or a true positive in the Microsoft Defender Security Center, in the **Alerts queue**. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts. +Alerts can be classified as false positives or true positives in the Microsoft Defender Security Center. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Select **Alerts queue**, and then select an alert that is a false positive. @@ -98,7 +98,7 @@ If you have alerts that are either false positives or that are true positives bu ## Part 2: Review remediation actions -[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include: +[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus: - Quarantine a file - Remove a registry key - Kill a process @@ -106,25 +106,25 @@ If you have alerts that are either false positives or that are true positives bu - Disable a driver - Remove a scheduled task -Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. +Other actions, such as starting an antivirus scan or collecting an investigation package, occur manually or through [Live Response](live-response.md). Actions taken through Live Response cannot be undone. After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Specifically, you can: -- [undo one action at a time](#undo-an-action); -- [undo multiple actions at one time](#undo-multiple-actions-at-one-time); and -- [remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). +- [Undo one action at a time](#undo-an-action); +- [Undo multiple actions at one time](#undo-multiple-actions-at-one-time); and +- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions). ### Review completed actions +![Action center](images/autoir-action-center-1.png) + 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab to view a list of actions that were taken.
![Action center](images/autoir-action-center-1.png) +2. Select the **History** tab to view a list of actions that were taken. 3. Select an item to view more details about the remediation action that was taken. ### Undo an action -If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. You can undo most remediation actions. - 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select an action that you want to undo. 3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).) @@ -137,14 +137,15 @@ If you find that a remediation action was taken automatically on an entity that ### Remove a file from quarantine across multiple devices +![Quarantine file](images/autoir-quarantine-file-1.png) + 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select a file that has the Action type **Quarantine file**. -3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
![Quarantine file](images/autoir-quarantine-file-1.png) - +3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. ## Part 3: Review or define exclusions -An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. +An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: - [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) @@ -157,7 +158,7 @@ The procedures in this section describe how to define exclusions and indicators. ### Exclusions for Microsoft Defender Antivirus -In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). > [!TIP] > Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). @@ -186,13 +187,13 @@ In general, you should not need to define exclusions for Microsoft Defender Anti [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to the following capabilities: +To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to the following capabilities: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -You can create indicators for: +"Allow" indicators can be created for: - [Files](#indicators-for-files) - [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) @@ -205,7 +206,7 @@ You can create indicators for: When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. Before you create indicators for files, make sure the following requirements are met: -- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus)) - Antimalware client version is 4.18.1901.x or later - Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 - The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) @@ -215,28 +216,28 @@ Before you create indicators for files, make sure the following requirements are When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked. Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met: -- Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection)) +- Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection)) - Antimalware client version is 4.18.1906.x or later - Devices are running Windows 10, version 1709, or later -Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) +Custom network indicators are turned on in the Microsoft Defender Security Center (see [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features)) #### Indicators for application certificates When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. Before you create indicators for application certificates, make sure the following requirements are met: -- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus)) - Antimalware client version is 4.18.1901.x or later - Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 - Virus and threat protection definitions are up to date > [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). +> When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). ## Part 4: Submit a file for analysis -You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. When you sign in at the submission site, you can track your submissions. +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and . When you sign in at the submission site, you can track your submissions. ### Submit a file for analysis From 592c3d4fe02ed21e25325b56985c93471c329682 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 27 Jan 2021 07:51:06 -0800 Subject: [PATCH 213/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 851be0216d..80c64fb69d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -187,11 +187,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to the following capabilities: - -- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) -- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) -- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) +To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), and [automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). "Allow" indicators can be created for: @@ -237,7 +233,7 @@ Before you create indicators for application certificates, make sure the followi ## Part 4: Submit a file for analysis -You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and . When you sign in at the submission site, you can track your submissions. +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and their results help inform Microsoft Defender for Endpoint threat protection capabilities. When you sign in at the submission site, you can track your submissions. ### Submit a file for analysis @@ -273,7 +269,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi ## Part 5: Review and adjust your threat protection settings -Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to: - [Cloud-delivered protection](#cloud-delivered-protection) - [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) @@ -288,6 +284,8 @@ Check your cloud-delivered protection level for Microsoft Defender Antivirus. By We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings. +We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set your cloud-delivered protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). + #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. @@ -312,13 +310,13 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere ### Remediation for potentially unwanted applications Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. - -Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. - -We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings. > [!TIP] > To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). + +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. + +We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set PUA protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). #### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) @@ -345,18 +343,18 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team. +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team. - [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). -> [!TIP] +> [!IMPORTANT] > We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle. ## Still need help? -If you have worked through all the steps in this article and still need help, your best bet is to contact technical support. +If you have worked through all the steps in this article and still need help, contact technical support. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. From 37c50b4ecc433f63043aa1b2f004097c4173000b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 27 Jan 2021 08:04:19 -0800 Subject: [PATCH 214/304] yanking AV false positives article --- windows/security/threat-protection/TOC.md | 1 - .../antivirus-false-positives-negatives.md | 83 ------------------- 2 files changed, 84 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 76bfdf55f4..0e49e0f09b 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -176,7 +176,6 @@ ###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) ###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) ###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) -###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md) ##### [Deploy, manage updates, and report on antivirus]() ###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md deleted file mode 100644 index e99e915192..0000000000 --- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: What to do with false positives/negatives in Microsoft Defender Antivirus -description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do. -keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions -search.product: eADQiWindows 10XVcnh -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 01/26/2021 -ms.reviewer: shwetaj -manager: dansimp -audience: ITPro -ms.topic: article -ms.technology: mde ---- - -# What to do with false positives/negatives in Microsoft Defender Antivirus - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. - -What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can: -- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis) -- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring) -- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) - -> [!TIP] -> This article focuses on false positives in Microsoft Defender Antivirus. If you want guidance for Microsoft Defender for Endpoint, which includes next-generation protection, endpoint detection and response, automated investigation and remediation, and more, see [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md). - -## Submit a file to Microsoft for analysis - -1. Review the [submission guidelines](../intelligence/submission-guide.md). -2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission). - -> [!TIP] -> We recommend signing in at the submission portal so you can track the results of your submissions. - -## Create an "Allow" indicator to prevent a false positive from recurring - -If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender for Endpoint) that the item is safe. - -To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). - -## Define an exclusion on an individual Windows device to prevent an item from being scanned - -When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item. - -1. On your Windows 10 device, open the Windows Security app. -2. Select **Virus & threat protection** > **Virus & threat protection settings**. -3. Under **Exclusions**, select **Add or remove exclusions**. -4. Select **+ Add an exclusion**, and specify its type (**File**, **Folder**, **File type**, or **Process**). - -The following table summarizes exclusion types, how they're defined, and what happens when they're in effect. - -|Exclusion type |Defined by |What happens | -|---------|---------|---------| -|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. | -|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. | -|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. | -|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | - -To learn more, see: -- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) -- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) - -## Related articles - -[What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) - -[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) - -[Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) \ No newline at end of file From 79c75450d4907cafbac4d82e359b16256cc089f8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 27 Jan 2021 08:06:27 -0800 Subject: [PATCH 215/304] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 7bcd7f8d15..6c6cd0335b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -16519,6 +16519,11 @@ "source_path": "windows/hub/windows-10.yml", "redirect_url": "https://docs.microsoft.com/windows/windows-10", "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives", + "redirect_document_id": true } ] } From cc757691fac0332d41ab38cd26ad2eb471bb0c98 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Wed, 27 Jan 2021 10:56:07 -0800 Subject: [PATCH 216/304] Release notes for MDE for Mac 101.19.48 --- .../microsoft-defender-atp/mac-whatsnew.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 617e8532aa..9053de5168 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -30,6 +30,14 @@ ms.technology: mde > [!IMPORTANT] > Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021. +## 101.19.48 + +> [!NOTE] +> The old command-line tool syntax has been deprecated with this release. + +- Added a new command-line switch to disable the network extension: `mdatp system-extension network-filter disable`. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint for Mac +- Performance improvements & bug fixes + ## 101.19.21 - Bug fixes From 560702cef3489eefad29fff075b4fdae0f92ce31 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 27 Jan 2021 11:32:53 -0800 Subject: [PATCH 217/304] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8b351b1709..6a64647a0c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -61,24 +61,24 @@ Managing your alerts and classifying true/false positives helps to train your th Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. In the navigation pane, choose **Alerts queue**. -3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Depending on the alert status, take the steps described in the following table: +2. In the navigation pane, choose **Alerts queue**. +3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) +4. Depending on the alert status, take the steps described in the following table: - | Alert status | What to do | - |:---|:---| - | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | - | The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
2. [Suppress the alert](#suppress-an-alert).
3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | - | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | +| Alert status | What to do | +|:---|:---| +| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | +| The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
2. [Suppress the alert](#suppress-an-alert).
3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | +| The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | ### Classify an alert Alerts can be classified as false positives or true positives in the Microsoft Defender Security Center. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts. -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. Select **Alerts queue**, and then select an alert that is a false positive. -3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. -4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) > [!TIP] > For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. @@ -87,11 +87,11 @@ Alerts can be classified as false positives or true positives in the Microsoft D If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. In the navigation pane, select **Alerts queue**. -3. Select an alert that you want to suppress to open its **Details** pane. -4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**. -5. Specify all the settings for your suppression rule, and then choose **Save**. +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. > [!TIP] > Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). @@ -123,15 +123,15 @@ When you're done reviewing and undoing actions that were taken as a result of fa ### Undo an action -1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select an action that you want to undo. -3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).) +3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).) ### Undo multiple actions at one time -1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. On the **History** tab, select the actions that you want to undo. -3. In the pane on the right side of the screen, select **Undo**. +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select the actions that you want to undo. +3. In the pane on the right side of the screen, select **Undo**. ### Remove a file from quarantine across multiple devices From 87a43c486a27d80811f79d30915204bd20dbcb0a Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Wed, 27 Jan 2021 11:37:23 -0800 Subject: [PATCH 218/304] Add link to new syntax --- .../threat-protection/microsoft-defender-atp/mac-whatsnew.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 9053de5168..2ae1e83837 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -33,7 +33,7 @@ ms.technology: mde ## 101.19.48 > [!NOTE] -> The old command-line tool syntax has been deprecated with this release. +> The old command-line tool syntax has been deprecated with this release. For information on the new syntax, see [Resources](mac-resources.md#configuring-from-the-command-line). - Added a new command-line switch to disable the network extension: `mdatp system-extension network-filter disable`. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint for Mac - Performance improvements & bug fixes From 5db9bdd39f5af3eb34f60c0c86b8656fe6d0032b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 27 Jan 2021 13:59:44 -0800 Subject: [PATCH 219/304] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index ad505f776b..20419165db 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: tewchen, pahuijbr, shwjha manager: dansimp -ms.date: 01/22/2021 +ms.date: 01/27/2021 ms.technology: mde --- @@ -89,10 +89,12 @@ The table in this section summarizes the functionality and features that are ava | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No | | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No | -(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. However, if [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) (Endpoint DLP) is configured and in effect, protective actions are enforced. Endpoint DLP works with real-time protection and behavior monitoring. +(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. (4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans. +> [!NOTE] +> [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode. ## Keep the following points in mind From e94d376345b81166cd2e35693ba87e2de650bb94 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:09:28 +0200 Subject: [PATCH 220/304] 1 --- .../microsoft-defender-atp/api-release-notes.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 4a650a2e4d..5dd49affed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -23,13 +23,16 @@ ms.technology: mde - test 1 +

## 2.2.3 - test2 - test3 +
## 2.1.58 - fix: test4 - fix: test5 - add: test6 +
\ No newline at end of file From 1849be05e2751c3a377c9b089ac7083d54054b50 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:21:42 +0200 Subject: [PATCH 221/304] 2 --- .../microsoft-defender-atp/api-release-notes.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 5dd49affed..4bd5e626eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -19,15 +19,20 @@ ms.technology: mde # Release Notes -## 2.2.4 +## 25.01.2021 -- test 1 +- Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute.
-## 2.2.3 +## 21.01.2021 -- test2 -- test3 +- Added new API: [Find devices by tag](machine-tags.md). +- Added new API: [Import Indicators](import-ti-indicators.md). + +
+## 01.09.2020 + +- Added option to expand the Alert object with its related Evidence. See [List Alerts](get-alerts.md)
## 2.1.58 From 9d62730beb65f306f0d14ff0c21010b23dbf3616 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:23:39 +0200 Subject: [PATCH 222/304] 2 --- .../api-release-notes.md | 23 ++++++++----------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 4bd5e626eb..a61531bcf0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -19,25 +19,20 @@ ms.technology: mde # Release Notes -## 25.01.2021 +### 25.01.2021 +
+
- Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute. -
-## 21.01.2021 - +### 21.01.2021 +
+
- Added new API: [Find devices by tag](machine-tags.md). - Added new API: [Import Indicators](import-ti-indicators.md). -
-## 01.09.2020 +### 01.09.2020 +
+
- Added option to expand the Alert object with its related Evidence. See [List Alerts](get-alerts.md) - -
-## 2.1.58 - -- fix: test4 -- fix: test5 -- add: test6 -
\ No newline at end of file From 7cd95e5ac9ede0a5247190187c5d1332ad30e9b0 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:26:48 +0200 Subject: [PATCH 223/304] 1 --- .../microsoft-defender-atp/api-release-notes.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index a61531bcf0..496e4151c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -18,6 +18,8 @@ ms.technology: mde --- # Release Notes +
+
### 25.01.2021
From 05207554978b7ca295186f41d6fcb0ebeb067930 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:54:48 +0200 Subject: [PATCH 224/304] 1 --- .../exposed-apis-odata-samples.md | 170 ++++++++++++------ .../get-alert-related-machine-info.md | 47 +++-- .../get-machine-by-id.md | 38 ++-- .../microsoft-defender-atp/get-machines.md | 38 ++-- .../microsoft-defender-atp/machine.md | 4 +- 5 files changed, 197 insertions(+), 100 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index ab3344e02c..589c3508f8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -221,25 +221,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "High", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -260,25 +274,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -299,25 +327,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -384,25 +426,39 @@ json{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "version": "1709", - "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", + "osPlatform": "Windows10", + "osProcessor": "x64", + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index 60d47669c1..1ee033457d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -90,24 +90,37 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity", - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "version": "1709", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", + "osPlatform": "Windows10", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] + "riskScore": "Low", + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index 0a6ff20f30..c754604e60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -93,25 +93,37 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine", - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] } - ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index 42a179a64f..a36163fc75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -97,25 +97,39 @@ Here is an example of the response. "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - } + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index 896f5ca654..79b6f79c97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -58,17 +58,19 @@ computerDnsName | String | [machine](machine.md) fully qualified name. firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint. lastSeen | DateTimeOffset |Time and date of the last received full device report. A device typically sends a full report every 24 hours. osPlatform | String | Operating system platform. +osProcessor | String | Operating system processor. version | String | Operating system Version. osBuild | Nullable long | Operating system build number. lastIpAddress | String | Last IP on local NIC on the [machine](machine.md). lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown". rbacGroupName | String | Machine group Name. -rbacGroupId | Int | Machine group unique ID. riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'. exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined). machineTags | String collection | Set of [machine](machine.md) tags. exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'. +ipAddresses | IpAddress collection | Set of ***IpAddress*** object. See [Get machines API](get-machines.md). + From 374cd8e3891b666e6e350b9626725305f9928331 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 19:15:21 +0200 Subject: [PATCH 225/304] 3 --- .../microsoft-defender-atp/api-release-notes.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 496e4151c6..94884f8d28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -22,19 +22,21 @@ ms.technology: mde
### 25.01.2021 -
- Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute. -### 21.01.2021
+
+### 21.01.2021
+ - Added new API: [Find devices by tag](machine-tags.md). - Added new API: [Import Indicators](import-ti-indicators.md). - -### 01.09.2020
+
+### 01.09.2020
+ - Added option to expand the Alert object with its related Evidence. See [List Alerts](get-alerts.md) From 996ed22e654a18d0995a157e5b72eb05b56d973b Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 19:27:34 +0200 Subject: [PATCH 226/304] 1 --- .../api-release-notes.md | 16 +++++++++++- .../set-device-value.md | 26 +++++++++++++++---- 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 94884f8d28..aef1b00336 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -34,9 +34,23 @@ ms.technology: mde - Added new API: [Find devices by tag](machine-tags.md). - Added new API: [Import Indicators](import-ti-indicators.md). +
+
+### 15.12.2020 +
+ +- Updated [Device](machine.md) entity with IP Interfaces. See [List devices](get-machines.md). + +
+
+### 04.12.2020 +
+ +- Added new API: [Set device value](set-device-value.md). +

### 01.09.2020
-- Added option to expand the Alert object with its related Evidence. See [List Alerts](get-alerts.md) +- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md index 6f1fe23a4a..1164cfc4a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md @@ -73,12 +73,28 @@ Content-Type | string | application/json. **Required**. ## Request body -```json -{ - "DeviceValue": "{device value}" -} -``` +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +DeviceValue | Enum | Device value. Allowed values are: 'Normal', 'Low' and 'High'. **Required**. ## Response If successful, this method returns 200 - Ok response code and the updated Machine in the response body. + +## Example + +**Request** + +Here is an example of a request that adds machine tag. + +``` +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue +``` + +```json +{ + "DeviceValue" : "High" +} +``` \ No newline at end of file From 77288ab9c0827ae9ccca1e1a72fa46d54b374dc3 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 19:39:53 +0200 Subject: [PATCH 227/304] 1 --- .../microsoft-defender-atp/api-release-notes.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index aef1b00336..5cc2a60d8b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -28,6 +28,7 @@ ms.technology: mde

+ ### 21.01.2021
@@ -36,6 +37,15 @@ ms.technology: mde

+ +### 03.01.2021 +
+ +- Update Alert evidence with + +
+
+ ### 15.12.2020
@@ -43,6 +53,7 @@ ms.technology: mde

+ ### 04.12.2020
@@ -50,6 +61,7 @@ ms.technology: mde

+ ### 01.09.2020
From 70290566344b75cb6e089be8a29df213ed0c672d Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 19:43:39 +0200 Subject: [PATCH 228/304] 1 --- .../microsoft-defender-atp/api-release-notes.md | 2 +- .../threat-protection/microsoft-defender-atp/machine.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 5cc2a60d8b..8200dc8a47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -41,7 +41,7 @@ ms.technology: mde ### 03.01.2021
-- Update Alert evidence with +- Update Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName***.

diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index 79b6f79c97..477cebbeb7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -71,6 +71,6 @@ aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machi machineTags | String collection | Set of [machine](machine.md) tags. exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'. -ipAddresses | IpAddress collection | Set of ***IpAddress*** object. See [Get machines API](get-machines.md). +ipAddresses | IpAddress collection | Set of ***IpAddress*** objects. See [Get machines API](get-machines.md). From 2560de795908d3c9b9bad44417d9a2a7ddf7e272 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 20:12:39 +0200 Subject: [PATCH 229/304] 1 --- .../microsoft-defender-atp/alerts.md | 159 +++++++++++++--- .../api-release-notes.md | 8 +- .../exposed-apis-odata-samples.md | 171 +++++++++++------- .../microsoft-defender-atp/get-alerts.md | 171 +++++++++++------- 4 files changed, 349 insertions(+), 160 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index f6b1666c6c..165692fb02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -69,45 +69,146 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib category| String | Category of the alert. detectionSource | String | Detection source. threatFamilyName | String | Threat family. +threatName | String | Threat name. +threatName | String | Threat name. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. computerDnsName | String | [machine](machine.md) fully qualified name. aadTenantId | String | The Azure Active Directory ID. -comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. +detectorId | String | The ID of the detector that triggered the alert. +comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time. +Evidence | List of Alert evidence | Evidence related to the alert. See example below. ### Response example for getting single alert: ``` -GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499 +GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609 ``` ```json { - "id": "da637084217856368682_-292920499", - "incidentId": 66860, - "investigationId": 4416234, - "investigationState": "Running", - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "New", - "classification": "TruePositive", - "determination": null, - "detectionSource": "WindowsDefenderAtp", - "category": "CommandAndControl", - "threatFamilyName": null, - "title": "Network connection to a risky host", - "description": "A network connection was made to a risky host which has exhibited malicious activity.", - "alertCreationTime": "2019-11-03T23:49:45.3823185Z", - "firstEventTime": "2019-11-03T23:47:16.2288822Z", - "lastEventTime": "2019-11-03T23:47:51.2966758Z", - "lastUpdateTime": "2019-11-03T23:55:52.6Z", - "resolvedTime": null, - "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", - "comments": [ - { - "comment": "test comment for docs", - "createdBy": "secop@contoso.com", - "createdTime": "2019-11-05T14:08:37.8404534Z" - } - ] + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, + "assignedTo": null, + "severity": "Low", + "status": "New", + "classification": null, + "determination": null, + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", + "resolvedTime": null, + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], + "relatedUser": { + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], + "evidence": [ + { + "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": null, + "sha256": null, + "fileName": null, + "filePath": null, + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 8200dc8a47..51e3dc8790 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -41,7 +41,8 @@ ms.technology: mde ### 03.01.2021
-- Update Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName***. +- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties. +- Updated [Alert entity](alerts.md): added ***detectorId*** property.

@@ -49,15 +50,16 @@ ms.technology: mde ### 15.12.2020
-- Updated [Device](machine.md) entity with IP Interfaces. See [List devices](get-machines.md). +- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).

-### 04.12.2020 +### 04.11.2020
- Added new API: [Set device value](set-device-value.md). +- Updated [Device](machine.md) entity: added ***deviceValue*** property.

diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index 589c3508f8..504f3e3b49 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -57,75 +57,51 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "value": [ { - "id": "da637306396589640224_1753239473", - "incidentId": 875832, - "investigationId": 478434, + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, "assignedTo": null, "severity": "Low", "status": "New", "classification": null, "determination": null, - "investigationState": "PendingApproval", - "detectionSource": "WindowsDefenderAv", - "category": "UnwantedSoftware", - "threatFamilyName": "InstallCore", - "title": "An active 'InstallCore' unwanted software was detected", - "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", - "alertCreationTime": "2020-07-18T03:27:38.9483995Z", - "firstEventTime": "2020-07-18T03:25:39.6124549Z", - "lastEventTime": "2020-07-18T03:26:18.4362304Z", - "lastUpdateTime": "2020-07-18T03:28:19.76Z", + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", "resolvedTime": null, - "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", - "computerDnsName": "temp2.redmond.corp.microsoft.com", - "rbacGroupName": "Ring0", - "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { - "userName": "temp2", - "domainName": "REDMOND" - }, - "comments": [], + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], "evidence": [ - { - "entityType": "File", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": null, - "processCommandLine": null, - "processCreationTime": null, - "parentProcessId": null, - "parentProcessCreationTime": null, - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, - { - "entityType": "Process", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": 24348, - "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ", - "processCreationTime": "2020-07-18T03:25:38.5269993Z", - "parentProcessId": 16840, - "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z", - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, { "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", "sha1": null, "sha256": null, "fileName": null, @@ -135,13 +111,74 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, "ipAddress": null, "url": null, - "accountName": "temp2", - "domainName": "REDMOND", - "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", - "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", - "userPrincipalName": "temp2@microsoft.com" + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" } ] }, @@ -188,6 +225,12 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate "computerDnsName": "temp123.middleeast.corp.microsoft.com", "rbacGroupName": "MiddleEast", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { "userName": "temp123", "domainName": "MIDDLEEAST" diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index eb0067b2ba..47af279049 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -128,6 +128,12 @@ Here is an example of the response. "computerDnsName": "temp123.middleeast.corp.microsoft.com", "rbacGroupName": "MiddleEast", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { "userName": "temp123", "domainName": "MIDDLEEAST" @@ -170,75 +176,51 @@ Here is an example of the response. "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "value": [ { - "id": "da637306396589640224_1753239473", - "incidentId": 875832, - "investigationId": 478434, + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, "assignedTo": null, "severity": "Low", "status": "New", "classification": null, "determination": null, - "investigationState": "PendingApproval", - "detectionSource": "WindowsDefenderAv", - "category": "UnwantedSoftware", - "threatFamilyName": "InstallCore", - "title": "An active 'InstallCore' unwanted software was detected", - "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", - "alertCreationTime": "2020-07-18T03:27:38.9483995Z", - "firstEventTime": "2020-07-18T03:25:39.6124549Z", - "lastEventTime": "2020-07-18T03:26:18.4362304Z", - "lastUpdateTime": "2020-07-18T03:28:19.76Z", + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", "resolvedTime": null, - "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", - "computerDnsName": "temp2.redmond.corp.microsoft.com", - "rbacGroupName": "Ring0", - "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { - "userName": "temp2", - "domainName": "REDMOND" - }, - "comments": [], + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], "evidence": [ - { - "entityType": "File", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": null, - "processCommandLine": null, - "processCreationTime": null, - "parentProcessId": null, - "parentProcessCreationTime": null, - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, - { - "entityType": "Process", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": 24348, - "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ", - "processCreationTime": "2020-07-18T03:25:38.5269993Z", - "parentProcessId": 16840, - "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z", - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, { "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", "sha1": null, "sha256": null, "fileName": null, @@ -248,13 +230,74 @@ Here is an example of the response. "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, "ipAddress": null, "url": null, - "accountName": "temp2", - "domainName": "REDMOND", - "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", - "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", - "userPrincipalName": "temp2@microsoft.com" + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" } ] }, From 599ddc7daa6d8f72b29d51178627286f09df0972 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 20:17:00 +0200 Subject: [PATCH 230/304] 1 --- .../microsoft-defender-atp/api-release-notes.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 51e3dc8790..43a133a98d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -26,7 +26,6 @@ ms.technology: mde - Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute. -

### 21.01.2021 @@ -35,7 +34,6 @@ ms.technology: mde - Added new API: [Find devices by tag](machine-tags.md). - Added new API: [Import Indicators](import-ti-indicators.md). -

### 03.01.2021 @@ -44,7 +42,6 @@ ms.technology: mde - Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties. - Updated [Alert entity](alerts.md): added ***detectorId*** property. -

### 15.12.2020 @@ -52,7 +49,6 @@ ms.technology: mde - Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md). -

### 04.11.2020 @@ -61,10 +57,12 @@ ms.technology: mde - Added new API: [Set device value](set-device-value.md). - Updated [Device](machine.md) entity: added ***deviceValue*** property. -

### 01.09.2020
- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md) + +
+
\ No newline at end of file From 8d66bba38052d0c40a29a928203e9df21f6446b9 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 20:28:30 +0200 Subject: [PATCH 231/304] 1 --- .../security/threat-protection/microsoft-defender-atp/alerts.md | 1 - .../microsoft-defender-atp/api-release-notes.md | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 165692fb02..ffa3cd11ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -70,7 +70,6 @@ category| String | Category of the alert. detectionSource | String | Detection source. threatFamilyName | String | Threat family. threatName | String | Threat name. -threatName | String | Threat name. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. computerDnsName | String | [machine](machine.md) fully qualified name. aadTenantId | String | The Azure Active Directory ID. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 43a133a98d..6689e36c5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -24,7 +24,7 @@ ms.technology: mde ### 25.01.2021
-- Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute. +- Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute.
From 9a3e2c4ab8c33b4a068c3bf22c6ed69cd58d090f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 28 Jan 2021 13:13:23 -0800 Subject: [PATCH 232/304] fix warnings --- .../microsoft-defender-atp/enable-attack-surface-reduction.md | 2 +- .../microsoft-defender-atp/indicator-file.md | 4 ++-- .../microsoft-defender-atp/indicator-ip-domain.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 44d58c8d1e..c34737f912 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -99,7 +99,7 @@ Example: `OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions` -`Value: c:\path|e:\path|c:\Whitelisted.exe` +`Value: c:\path|e:\path|c:\Exclusions.exe` > [!NOTE] > Be sure to enter OMA-URI values without spaces. diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md index be86647e97..78a28933b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md @@ -2,7 +2,7 @@ title: Create indicators for files ms.reviewer: description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities. -keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security @@ -39,7 +39,7 @@ There are two ways you can create indicators for files: ### Before you begin It's important to understand the following prerequisites prior to creating indicators for files: -- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019. - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md index f238e1f680..2fd5f9cce1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md @@ -2,7 +2,7 @@ title: Create indicators for IPs and URLs/domains ms.reviewer: description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities. -keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: ip, url, domain, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security From 28e58d56b3539a1fad719b6cbf73bc373a1e8d9c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 14:56:28 -0800 Subject: [PATCH 233/304] Added label to code block --- .../security/threat-protection/microsoft-defender-atp/alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index ffa3cd11ee..da475d40a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -79,7 +79,7 @@ Evidence | List of Alert evidence | Evidence related to the alert. See example b ### Response example for getting single alert: -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609 ``` From 7520c0930bcd2110d525b5dca6055cc0d768fd3e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 14:56:56 -0800 Subject: [PATCH 234/304] Added missing period --- .../microsoft-defender-atp/api-release-notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 6689e36c5c..36327643c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -62,7 +62,7 @@ ms.technology: mde ### 01.09.2020
-- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md) +- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md).

\ No newline at end of file From 100c6d9bc9c72ed8b832ea791b1194b550c8d8d7 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:01:43 -0800 Subject: [PATCH 235/304] Added end punctuation --- .../exposed-apis-odata-samples.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index 504f3e3b49..0d88d39023 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -44,7 +44,7 @@ Not all properties are filterable. ### Example 1 -Get 10 latest Alerts with related Evidence +Get 10 latest Alerts with related Evidence: ```http HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence @@ -189,7 +189,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev ### Example 2 -Get all the alerts last updated after 2019-11-22 00:00:00 +Get all the alerts last updated after 2019-11-22 00:00:00: ```http HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z @@ -251,7 +251,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate ### Example 3 -Get all the devices with 'High' 'RiskScore' +Get all the devices with 'High' 'RiskScore': ```http HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScore+eq+'High' @@ -304,7 +304,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor ### Example 4 -Get top 100 devices with 'HealthStatus' not equals to 'Active' +Get top 100 devices with 'HealthStatus' not equals to 'Active': ```http HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 @@ -357,7 +357,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt ### Example 5 -Get all the devices that last seen after 2018-10-20 +Get all the devices that last seen after 2018-10-20: ```http HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen gt 2018-08-01Z @@ -410,7 +410,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen ### Example 6 -Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint +Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint: ```http HTTP GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' From 6de7189a3606f704093641de13b30799e47bcd95 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:06:31 -0800 Subject: [PATCH 236/304] Labeled code block --- .../microsoft-defender-atp/get-alert-related-machine-info.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index 1ee033457d..4a56186c19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -56,7 +56,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request -``` + +```http GET /api/alerts/{id}/machine ``` From 2524740ebb80195497b5c065a48d2d11786a8af7 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:09:38 -0800 Subject: [PATCH 237/304] Added missing end punctuation. --- .../microsoft-defender-atp/get-machine-by-id.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index c754604e60..76dc993182 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -41,7 +41,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md). Permission type | Permission | Permission display name :---|:---|:--- From c4dcb999082992535349ecde10c7e51214654f45 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:14:11 -0800 Subject: [PATCH 238/304] Replaced br tags with CR/LF, added end punctuation The block of text looked strange in preview due to the short and wrapped lines. --- .../microsoft-defender-atp/get-machines.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index a36163fc75..44e815ff37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -33,9 +33,12 @@ ms.technology: mde ## API description Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud. -
Supports [OData V4 queries](https://www.odata.org/documentation/). -
The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`. -
See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md) + +Supports [OData V4 queries](https://www.odata.org/documentation/). + +The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`. + +See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md). ## Limitations @@ -55,8 +58,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information). +>- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md). ## HTTP request From ba506d79807f1d7ebfff3553a238d112aeea3039 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:15:57 -0800 Subject: [PATCH 239/304] Labeled code block --- .../microsoft-defender-atp/set-device-value.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md index 1164cfc4a4..66e0dfcd99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md @@ -89,7 +89,7 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue ``` From 9070c026aada653a5c4953f229221656e3c9eaff Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Thu, 28 Jan 2021 15:17:15 -0800 Subject: [PATCH 240/304] Fixing weird phrasing and list issue --- .../hello-for-business/hello-how-it-works.md | 4 ++-- .../hello-for-business/hello-planning-guide.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 60d7c90219..c9844c3d80 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -21,7 +21,7 @@ ms.reviewer: - Windows 10 -Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. +Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] @@ -48,7 +48,7 @@ For more information read [how provisioning works](hello-how-it-works-provisioni ### Authentication -Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. +With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 260676b71b..0d50683cf6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -45,7 +45,7 @@ There are six major categories you need to consider for a Windows Hello for Busi - Client - Management - Active Directory --Public Key Infrastructure +- Public Key Infrastructure - Cloud ### Baseline Prerequisites From b7b092458eb9f5300d4ce03928a4750192d8a85b Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 28 Jan 2021 16:41:12 -0800 Subject: [PATCH 241/304] remove config score --- .../microsoft-defender-atp/tvm-security-recommendation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 5ec3a45841..442c78a35a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -105,7 +105,7 @@ From the flyout, you can choose any of the following options: ### Investigate changes in device exposure or impact -If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating. +If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating. 1. Select the recommendation and **Open software page** 2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md) From c31f98e043441b191c772b23559fdcdfb751e3d8 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Fri, 29 Jan 2021 20:03:13 +0200 Subject: [PATCH 242/304] Update pull-alerts-using-rest-api.md Fixing numbers that are written as strings in the example. https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9037 --- .../microsoft-defender-atp/pull-alerts-using-rest-api.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 035be361f5..0b426b8e0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -84,10 +84,10 @@ The response will include an access token and expiry information. ```json { "token_type": "Bearer", - "expires_in": "3599", - "ext_expires_in": "0", - "expires_on": "1488720683", - "not_before": "1488720683", + "expires_in": 3599, + "ext_expires_in": 0, + "expires_on": 1488720683, + "not_before": 1488720683, "resource": "https://graph.windows.net", "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..." } From 3d28a9ee0d231981a95413a9aa2566403ae91c17 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Fri, 29 Jan 2021 20:09:53 +0200 Subject: [PATCH 243/304] Update pull-alerts-using-rest-api.md Acrolinx. --- .../microsoft-defender-atp/pull-alerts-using-rest-api.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 0b426b8e0d..49d143d897 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -1,6 +1,6 @@ --- title: Pull Microsoft Defender for Endpoint detections using REST API -description: Learn how call an Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API. +description: Learn how to call a Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API. keywords: detections, pull detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -67,7 +67,7 @@ Use the following method in the Microsoft Defender for Endpoint API to pull dete ## Get an access token Before creating calls to the endpoint, you'll need to get an access token. -You'll use the access token to access the protected resource, which are detections in Microsoft Defender for Endpoint. +You'll use the access token to access the protected resource, which is detections in Microsoft Defender for Endpoint. To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: @@ -115,7 +115,7 @@ Name | Value| Description :---|:---|:--- sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.

**NOTE**: When not specified, all alerts generated in the last two hours are retrieved. untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

**NOTE**: When not specified, the default value will be the current time. -ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. +ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
Example: `ago=PT10M` will pull alerts received in the last 10 minutes. limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

**NOTE**: When not specified, all alerts available in the time range will be retrieved. machinegroups | string | Specifies device groups to pull alerts from.

**NOTE**: When not specified, alerts from all device groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` DeviceCreatedMachineTags | string | Single device tag from the registry. From 236497f1a20efa5048a868c70296b4951eaf78c0 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 14:09:12 -0800 Subject: [PATCH 244/304] Labeled code blocks, added some vertical spacing --- .../feature-multifactor-unlock.md | 140 +++++++++++------- 1 file changed, 89 insertions(+), 51 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index da9b1c7c1e..e6e5fa20c1 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -83,15 +83,17 @@ For example, if you include the PIN and fingerprint credential providers in both The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. ### Rule element -You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
+You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0. + **Example** -``` +```xml ``` ### Signal element -Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. + |Attribute|Value| |---------|-----| @@ -109,8 +111,8 @@ You define the bluetooth signal with additional attributes in the signal element |rssiMin|"*number*"|no| |rssiMaxDelta|"*number*"|no| -Example: -``` +**Example** +```xml @@ -142,63 +144,76 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements. ##### IPv4Prefix -The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.
+The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element. + **Example** -``` +```xml 192.168.100.0/24 ``` + The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration. ##### IPv4Gateway -The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.
+The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element. + **Example** -``` +```xml 192.168.100.10 ``` + ##### IPv4DhcpServer -The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.
+The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element. + **Example** -``` +```xml 192.168.100.10 ``` + ##### IPv4DnsServer -The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
+The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements. + **Example:** -``` +```xml 192.168.100.10 ``` ##### IPv6Prefix -The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.
+The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element. + **Example** -``` +```xml 21DA:D3::/48 ``` ##### IPv6Gateway -The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.
+The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element. + **Example** -``` +```xml 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 ``` ##### IPv6DhcpServer -The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element. + **Example** -``` +```xml 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 +The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements. + **Example** -``` +```xml 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 ``` + ##### dnsSuffix -The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements. + **Example** -``` +```xml corp.contoso.com ``` @@ -210,15 +225,17 @@ The fully qualified domain name of your organization's internal DNS suffix where You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements. #### SSID -Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
-``` +Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required. + +```xml corpnetwifi ``` #### BSSID -Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional. + **Example** -``` +```xml 12-ab-34-ff-e5-46 ``` @@ -235,19 +252,22 @@ Contains the type of security the client uses when connecting to the wireless ne |WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.| **Example** -``` +```xml WPA2-Enterprise ``` #### TrustedRootCA -Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
+Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional. + **Example** -``` +```xml a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa ``` + #### Sig_quality -Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
+Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal. + **Example** -``` +```xml 80 ``` @@ -257,7 +277,8 @@ These examples are wrapped for readability. Once properly formatted, the entire #### Example 1 This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements. -``` + +```xml 10.10.10.0/24 @@ -271,10 +292,11 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, #### Example 2 This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones. This configuration is wrapped for reading. Once properly formatted, the entire XML contents must be a single line. This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true. + >[!NOTE] >Separate each rule element using a comma. -``` +```xml corp.contoso.com @@ -284,9 +306,11 @@ This example configures an IpConfig signal type using a dnsSuffix element and a ``` + #### Example 3 This example configures the same as example 2 using compounding And elements. This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true. -``` + +```xml @@ -296,9 +320,11 @@ This example configures the same as example 2 using compounding And elements. T ``` + #### Example 4 This example configures Wi-Fi as a trusted signal (Windows 10, version 1803) -``` + +```xml contoso @@ -332,22 +358,34 @@ The Group Policy object contains the policy settings needed to trigger Windows H > * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both. > * The multifactor unlock feature is also supported via the Passport for Work CSP. See [Passport For Work CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) for more information. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Multifactor Unlock* in the name box and click **OK**. -5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
- ![Group Policy Editor](images/multifactorUnlock/gpme.png) -8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
- ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png) -9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section. -10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section. -11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. +1. Start the **Group Policy Management Console** (gpmc.msc). - ## Troubleshooting - Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**. +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + +3. Right-click **Group Policy object** and select **New**. + +4. Type *Multifactor Unlock* in the name box and click **OK**. + +5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**. + +6. In the navigation pane, expand **Policies** under **Computer Configuration**. + +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. + + ![Group Policy Editor](images/multifactorUnlock/gpme.png) + +8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values. + + ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png) + +9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors). + +10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider). + +11. Click **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. + +## Troubleshooting +Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**. ### Events From 47bb2e611ed6cfc1c86a26baba8e2e0ea8fe4d3e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 14:10:42 -0800 Subject: [PATCH 245/304] Acrolinx: "the those" --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 0d50683cf6..57805caf8b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -160,7 +160,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in ### Cloud -Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. +Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional. ## Planning a Deployment From 813366c483832642f9265d2cf6eedd7f87ac0749 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 29 Jan 2021 14:55:37 -0800 Subject: [PATCH 246/304] update section on passive uninstall --- .../microsoft-defender-atp/minimum-requirements.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 7d4ff91ed4..f7623205a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -199,14 +199,12 @@ When Microsoft Defender Antivirus is not the active antimalware in your organiza If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy. -If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). +If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > [!NOTE] > Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on. -For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). - ## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard. From 402d66cf2d6e71fc1f511079881b8f70f96e0e88 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:01:47 -0800 Subject: [PATCH 247/304] Update MDE for Mac docs to use new command-line tool syntax --- .../mac-install-manually.md | 4 ++-- .../microsoft-defender-atp/mac-pua.md | 2 +- .../microsoft-defender-atp/mac-resources.md | 2 +- .../mac-schedule-scan-atp.md | 4 ++-- .../microsoft-defender-atp/mac-support-kext.md | 16 ++++++++-------- .../microsoft-defender-atp/mac-support-perf.md | 2 +- .../microsoft-defender-atp/mac-whatsnew.md | 2 +- .../microsoft-defender-atp-mac.md | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 904279814f..375f715a8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -116,7 +116,7 @@ To complete this process, you must have admin privileges on the device. The client device is not associated with orgId. Note that the *orgId* attribute is blank. ```bash - mdatp --health orgId + mdatp health --field org_id ``` 2. Run the Python script to install the configuration file: @@ -128,7 +128,7 @@ To complete this process, you must have admin privileges on the device. 3. Verify that the device is now associated with your organization and reports a valid *orgId*: ```bash - mdatp --health orgId + mdatp health --field org_id ``` After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md index a83bc01f7a..37371fa8f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md @@ -59,7 +59,7 @@ You can configure how PUA files are handled from the command line or from the ma In Terminal, execute the following command to configure PUA protection: ```bash -mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block] ``` ### Use the management console to configure PUA protection: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index 8ab4ccb54a..227df25707 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -149,7 +149,7 @@ To enable autocompletion in zsh: ## Client Microsoft Defender for Endpoint quarantine directory -`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`. +`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`. ## Microsoft Defender for Endpoint portal information diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index b7f2649c73..331b7057ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -47,7 +47,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. sh -c - /usr/local/bin/mdatp --scan --quick + /usr/local/bin/mdatp scan quick RunAtLoad @@ -73,7 +73,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. 2. Save the file as *com.microsoft.wdav.schedquickscan.plist*. > [!TIP] - > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. + > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp scan quick`, to use the `full` option instead of `quick` (i.e. `/usr/local/bin/mdatp scan full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. 3. Open **Terminal**. 4. Enter the following commands to load your file: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index 3cefc80735..dae30c8c6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -37,15 +37,15 @@ If you did not approve the kernel extension during the deployment/installation o ![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png) -You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. +You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. ```bash -mdatp --health +mdatp health ``` ```Output ... -realTimeProtectionAvailable : false -realTimeProtectionEnabled : true +real_time_protection_enabled : true +real_time_protection_available : true ... ``` @@ -90,15 +90,15 @@ In this case, you need to perform the following steps to trigger the approval fl sudo kextutil /Library/Extensions/wdavkext.kext ``` - The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available: + The banner should disappear from the Defender application, and ```mdatp health``` should now report that real-time protection is both enabled and available: ```bash - mdatp --health + mdatp health ``` ```Output ... - realTimeProtectionAvailable : true - realTimeProtectionEnabled : true + real_time_protection_enabled : true + real_time_protection_available : true ... ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 96b85255e0..9aff2517bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -48,7 +48,7 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the Terminal. For security purposes, this operation requires elevation. ```bash - mdatp --config realTimeProtectionEnabled false + mdatp config real-time-protection --value disabled ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 2ae1e83837..55c92067b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -173,7 +173,7 @@ ms.technology: mde - Fixed an issue where Microsoft Defender for Endpoint for Mac was sometimes interfering with Time Machine - Added a new switch to the command-line utility for testing the connectivity with the backend service ```bash - mdatp --connectivity-test + mdatp connectivity test ``` - Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view) - Performance improvements & bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 61c7fe0660..9766c422da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -132,7 +132,7 @@ The output from this command should be similar to the following: Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal: ```bash -mdatp --connectivity-test +mdatp connectivity test ``` ## How to update Microsoft Defender for Endpoint for Mac From 5d73e88e40b16c8c285dcbe144712e9f82d9fcef Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:05:01 -0800 Subject: [PATCH 248/304] One more file --- .../microsoft-defender-atp/mac-sysext-preview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index 3e8f336502..b02e640d1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -45,7 +45,7 @@ These steps assume you already have Defender for Endpoint running on your device - Your device must be in the **Insider Fast update channel**. You can check the update channel by using the following command: ```bash - mdatp --health releaseRing + mdatp health --field release_ring ``` If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted). From 47bd07c3fa4979cb5e91ca1c8bda30eadccec328 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:12:40 -0800 Subject: [PATCH 249/304] Typo --- .../microsoft-defender-atp/mac-support-kext.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index dae30c8c6a..8d726d2f36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -44,7 +44,7 @@ mdatp health ``` ```Output ... -real_time_protection_enabled : true +real_time_protection_enabled : false real_time_protection_available : true ... ``` From f29f13280dc50788d2e9537221dfe79d255d7335 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 16:13:11 -0800 Subject: [PATCH 250/304] Corrected indentation of content in list items --- .../microsoft-defender-atp/mac-support-perf.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 9aff2517bf..cbfb2f15f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -43,13 +43,13 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**. - ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) + ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) - From the Terminal. For security purposes, this operation requires elevation. - ```bash - mdatp config real-time-protection --value disabled - ``` + ```bash + mdatp config real-time-protection --value disabled + ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). From f0446c8eb4ebb6e9c0598e76fee5cf30b2c76462 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 16:15:28 -0800 Subject: [PATCH 251/304] Corrected indentation and, thereby, broken numbering in a procedure --- .../microsoft-defender-atp/mac-sysext-preview.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index b02e640d1e..3a5f837ab4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -66,8 +66,9 @@ Follow the deployment steps that correspond to your environment and your preferr 1. After all deployment prerequisites are met, restart your device to launch the system extension approval and activation process. -You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. -For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run. + You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. + + For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run. > [!IMPORTANT] > You must close and reopen the **System Preferences** > **Security & Privacy** window between subsequent approvals. Otherwise, macOS will not display the next approval. From 73f669e1e90ef76a8a27f03a6ab43d9397c0762f Mon Sep 17 00:00:00 2001 From: Office Content Publishing <34616516+officedocspr@users.noreply.github.com> Date: Sat, 30 Jan 2021 23:33:12 -0800 Subject: [PATCH 252/304] Uploaded file: store-for-business-content-updates.md - 2021-01-30 23:33:11.8570 --- .../includes/store-for-business-content-updates.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index 42f33e8015..82518ed170 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -2,6 +2,14 @@ +## Week of January 25, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified | + + ## Week of January 11, 2021 From c795074fc1a033d438a0467e94f052fb1be7966e Mon Sep 17 00:00:00 2001 From: Sunayana Singh <57405155+sunasing@users.noreply.github.com> Date: Sun, 31 Jan 2021 21:19:08 +0530 Subject: [PATCH 253/304] Added Conditional Access with Intune --- .../ios-configure-features.md | 47 +++++++++++-------- 1 file changed, 27 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index d04735e349..877b61390e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -28,6 +28,33 @@ ms.technology: mde > [!NOTE] > Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +## Conditional Access with Defender for Endpoint for iOS +Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies +based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. + +For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune] https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). + +## Web Protection and VPN + +By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device. + +While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below: + +1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**. +1. Click or tap the "i" button for Microsoft Defender ATP. +1. Toggle off **Connect On Demand** to disable VPN. + + > [!div class="mx-imgBorder"] + > ![VPN config connect on demand](images/ios-vpn-config.png) + +> [!NOTE] +> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**. + +## Co-existence of multiple VPN profiles + +Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time. + + ## Configure compliance policy against jailbroken devices To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. @@ -63,26 +90,6 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i > [!NOTE] > Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. -## Web Protection and VPN - -By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device. - -While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below: - -1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**. -1. Click or tap the "i" button for Microsoft Defender ATP. -1. Toggle off **Connect On Demand** to disable VPN. - - > [!div class="mx-imgBorder"] - > ![VPN config connect on demand](images/ios-vpn-config.png) - -> [!NOTE] -> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**. - -### Co-existence of multiple VPN profiles - -Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time. - ## Report unsafe site Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site. From b7d0e0f861f946c55978c6fecc3e044a3d2e4ca8 Mon Sep 17 00:00:00 2001 From: Thomas Lee Date: Sun, 31 Jan 2021 16:42:08 +0000 Subject: [PATCH 254/304] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md Updated examples to have correct casing based on values in Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.PUAProtectionType enum Added an example for viewing PUA events Removed future tense to improve readability. --- ...anted-apps-microsoft-defender-antivirus.md | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index dc721c7813..0467981cf8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -62,13 +62,13 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium ### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs. Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings. ## Microsoft Defender Antivirus @@ -87,7 +87,7 @@ The notification appears in the usual [quarantine list within the Windows Securi You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). -You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log. > [!TIP] > Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. @@ -125,7 +125,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 7. Select **Enabled** to enable PUA protection. -8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. +8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**. 9. Deploy your Group Policy object as you usually do. @@ -134,25 +134,25 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell -Set-MpPreference -PUAProtection enable +Set-MpPreference -PUAProtection Enabled ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. +Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell -Set-MpPreference -PUAProtection auditmode +Set-MpPreference -PUAProtection AuditMode ``` -Setting `AuditMode` will detect PUAs without blocking them. +Setting `AuditMode` detects PUAs without blocking them. ##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell -Set-MpPreference -PUAProtection disable +Set-MpPreference -PUAProtection Disabled ``` -Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. +Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. @@ -160,6 +160,23 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. +You can also use the ``Get-MpThreat`` cmdlet to view threats that Defender handled. +```console + +CategoryID : 27 +DidThreatExecute : False +IsActive : False +Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/ + fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714} +RollupStatus : 33 +SchemaVersion : 1.0.0.0 +SeverityID : 1 +ThreatID : 213927 +ThreatName : PUA:Win32/InstallCore +TypeID : 0 +PSComputerName : +``` + You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. From 40589e437f4e628d9fe18e780fbc70a721feb3a5 Mon Sep 17 00:00:00 2001 From: Thomas Lee Date: Sun, 31 Jan 2021 22:21:20 +0000 Subject: [PATCH 255/304] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md Changed double-tick to single, as per suggestion. Added blank line around codefencing --- ...ntially-unwanted-apps-microsoft-defender-antivirus.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 0467981cf8..73b795ee62 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -134,14 +134,18 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell + Set-MpPreference -PUAProtection Enabled + ``` Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell + Set-MpPreference -PUAProtection AuditMode + ``` Setting `AuditMode` detects PUAs without blocking them. @@ -150,7 +154,9 @@ Setting `AuditMode` detects PUAs without blocking them. We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell + Set-MpPreference -PUAProtection Disabled + ``` Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. @@ -160,7 +166,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. -You can also use the ``Get-MpThreat`` cmdlet to view threats that Defender handled. +You can also use the `Get-MpThreat` cmdlet to view threats that Defender handled. + ```console CategoryID : 27 From fd30b0a830ebbd942b4cf61181c942b7e7ab5f59 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:05:18 +0200 Subject: [PATCH 256/304] Update Onboard-Windows-10-multi-session-device.md Dropping the rebranding note (was removed from all pages). --- .../Onboard-Windows-10-multi-session-device.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index e63643ed0a..1f03573655 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -24,8 +24,6 @@ ms.technology: mde Applies to: - Windows 10 multi-session running on Windows Virtual Desktop (WVD) -> [!IMPORTANT] -> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. > [!WARNING] > Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported. From ff100e743717b62e52ee29850b2e00a83770bbdb Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:26:56 +0200 Subject: [PATCH 257/304] Update configure-server-endpoints.md Addressing: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8911 https://github.com/MicrosoftDocs/windows-itpro-docs/pull/8996/files Also adding a note regarding US Gov customers and MMA setup. --- .../configure-server-endpoints.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 3e1fad5b1a..abdf7a98e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -42,6 +42,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). +
## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 @@ -56,7 +57,7 @@ After completing the onboarding steps using any of the provided options, you'll > [!NOTE] -> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). +> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) @@ -102,6 +103,8 @@ Perform the following steps to fulfill the onboarding requirements: On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). +> [!NOTE] +> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government". @@ -140,6 +143,8 @@ You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsof After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). +
+ ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: @@ -183,6 +188,8 @@ Support for Windows Server provides deeper insight into server activities, cover For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus). +
+ ## Integration with Azure Security Center Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. @@ -202,6 +209,7 @@ Data collected by Defender for Endpoint is stored in the geo-location of the ten > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. +
## Configure and update System Center Endpoint Protection clients @@ -212,7 +220,7 @@ The following steps are required to enable this integration: - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - +
## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. @@ -264,6 +272,9 @@ To offboard the Windows server, you can use either of the following methods: $AgentCfg.ReloadConfiguration() ``` + +
+ ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard non-Windows devices](configure-endpoints-non-windows.md) From bd6233826f769c56fb2f12a191eae8fe0588cd9e Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:35:51 +0200 Subject: [PATCH 258/304] Update configure-server-endpoints.md Some Acrolinx changes. --- .../microsoft-defender-atp/configure-server-endpoints.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index abdf7a98e7..8ac55c19b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -63,7 +63,7 @@ After completing the onboarding steps using any of the provided options, you'll ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). -If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. +If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. In general, you'll need to take the following steps: 1. Fulfill the onboarding requirements outlined in **Before you begin** section. @@ -184,14 +184,14 @@ Support for Windows Server provides deeper insight into server activities, cover ```sc.exe query Windefend``` - If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). + If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
## Integration with Azure Security Center -Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. +Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: - Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). From 0c2f8a5a264c3f5f59ad8ef0475298d80ee851e7 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:43:10 +0200 Subject: [PATCH 259/304] Update gov.md Adding: 1. Portal URLs. 2. Power Automate & Logic Apps integrations are now available for GCC. 3. Clarification regarding MMA & patches. --- .../microsoft-defender-atp/gov.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 2bde8df0d5..2fd68eca5a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -31,8 +31,18 @@ This offering is currently available to Microsoft 365 GCC and GCC High customers > [!NOTE] > If you are a "GCC on Commercial" customer, please refer to the public documentation pages. +
+## Portal URLs +The following are the specific Microsoft Defender for Endpoint portal URLs: + +Customer type | Portal URL +:---|:--- +GCC | https://gcc.securitycenter.microsoft.us +GCC High | https://securitycenter.microsoft.us + +
## Endpoint versions @@ -63,7 +73,10 @@ Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../im iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog > [!NOTE] -> A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment. +> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment. + +> [!NOTE] +> Trying to onboard Windows Server 2016/2012 R2/2008 R2 SP1 or Windows 8.1 Enterprise/8 Pro/7 SP1 Enterprise/7 SP1 Pro using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud". ### OS versions when using Azure Defender for Servers The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp): @@ -88,7 +101,6 @@ Defender for Endpoint GCC High specific | `winatp-gw-usgt.microsoft.com`
`win
- ## API Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs: @@ -100,7 +112,6 @@ SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https:/
- ## Feature parity with commercial Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight. @@ -126,6 +137,6 @@ Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Microsoft Threat Experts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog From 807f04e1810c7b76dc6723c07cf0635bd5e710f4 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:51:12 +0200 Subject: [PATCH 260/304] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 2fd68eca5a..5223c1229a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -32,10 +32,8 @@ This offering is currently available to Microsoft 365 GCC and GCC High customers > [!NOTE] > If you are a "GCC on Commercial" customer, please refer to the public documentation pages. -
- ## Portal URLs -The following are the specific Microsoft Defender for Endpoint portal URLs: +The following are the Microsoft Defender for Endpoint portal URLs for US Government customers: Customer type | Portal URL :---|:--- From 2c2946d03a75384998f916a26260b8c8a0ca1a6c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 1 Feb 2021 09:05:21 +0530 Subject: [PATCH 261/304] typo correction as per the user report #9050 , replaced s to is --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 76e17626d7..01f89be64e 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -46,7 +46,7 @@ Application compatibility testing has historically been a burden when approachin Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10. -For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). +For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). ### Device compatibility From 8cdd0d0ee153d5c8ec94f7fb3d1d31011f08f82d Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 18:57:44 +0200 Subject: [PATCH 262/304] Update troubleshoot-asr.md https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9055 --- .../microsoft-defender-atp/troubleshoot-asr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index 8a626f4670..e507384f99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -100,7 +100,7 @@ When you report a problem with attack surface reduction rules, you are asked to 1. Open an elevated command prompt and change to the Windows Defender directory: ```console - cd c:\program files\windows defender + cd "c:\program files\windows defender" ``` 2. Run this command to generate the diagnostic logs: From f13504560a9849a630ce0b74b5fe3781e3c613b1 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 19:03:07 +0200 Subject: [PATCH 263/304] Update troubleshoot-asr.md Acrolinx. --- .../troubleshoot-asr.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index e507384f99..dd95924a68 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -29,9 +29,9 @@ ms.technology: mde When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as: -- A rule blocks a file, process, or performs some other action that it should not (false positive) +- A rule blocks a file, process, or performs some other action that it shouldn't (false positive) -- A rule does not work as described, or does not block a file or process that it should (false negative) +- A rule doesn't work as described, or doesn't block a file or process that it should (false negative) There are four steps to troubleshooting these problems: @@ -53,7 +53,7 @@ Attack surface reduction rules will only work on devices with the following cond - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). If these prerequisites have all been met, proceed to the next step to test the rule in audit mode. @@ -61,7 +61,7 @@ If these prerequisites have all been met, proceed to the next step to test the r You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. -Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. +Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with. 1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run. @@ -69,19 +69,19 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct 3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. -If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. +If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled. Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. -If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: +If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation: -1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). +1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). -2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). +2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). ## Add exclusions for a false positive -If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. +If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md). @@ -95,7 +95,7 @@ Use the [Windows Defender Security Intelligence web-based submission form](https ## Collect diagnostic data for file submissions -When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. +When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: From 8d274b26124aa1bf9935770635ffc6ef49baa6cf Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 19:06:40 +0200 Subject: [PATCH 264/304] Update troubleshoot-asr.md --- .../microsoft-defender-atp/troubleshoot-asr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index dd95924a68..c25e934d20 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -109,7 +109,7 @@ When you report a problem with attack surface reduction rules, you're asked to c mpcmdrun -getfiles ``` -3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. +3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. ## Related articles From d13ea7f085443acd43a9fa6bb706bb7612c47696 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 1 Feb 2021 10:44:16 -0800 Subject: [PATCH 265/304] Update ios-configure-features.md --- .../ios-configure-features.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index 877b61390e..10354d8762 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -32,7 +32,7 @@ ms.technology: mde Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune] https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). +For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune] (https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Web Protection and VPN @@ -64,28 +64,28 @@ To protect corporate data from being accessed on jailbroken iOS devices, we reco Follow the steps below to create a compliance policy against jailbroken devices. -1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. +1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. > [!div class="mx-imgBorder"] > ![Create Policy](images/ios-jb-policy.png) -1. Specify a name of the policy, example "Compliance Policy for Jailbreak". -1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. +2. Specify a name of the policy, for example "Compliance Policy for Jailbreak". +3. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. > [!div class="mx-imgBorder"] > ![Policy Settings](images/ios-jb-settings.png) -1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**. +4. In the *Action for noncompliance* section, select the actions as per your requirements and select **Next**. > [!div class="mx-imgBorder"] > ![Policy Actions](images/ios-jb-actions.png) -1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**. -1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. +5. In the *Assignments* section, select the user groups that you want to include for this policy and then select **Next**. +6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. ## Configure custom indicators -Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators. +Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). > [!NOTE] > Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. From 1adb141e2b2f459d735481a7ddbf7f10311f7322 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Mon, 1 Feb 2021 11:32:08 -0800 Subject: [PATCH 266/304] pencil edit --- .../microsoft-defender-atp/ios-configure-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index 10354d8762..00fc73300c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -32,7 +32,7 @@ ms.technology: mde Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune] (https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). +For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Web Protection and VPN From 5eab1f1af72b8f6bb950f48b8d7e1acd08f53206 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 1 Feb 2021 13:08:11 -0800 Subject: [PATCH 267/304] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6c6cd0335b..4af39e6318 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -16524,6 +16524,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", + "redirect_document_id": false } ] } From 27bc25e7daf6b9cc92222580249de5bc691b6725 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 1 Feb 2021 13:47:35 -0800 Subject: [PATCH 268/304] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...entially-unwanted-apps-microsoft-defender-antivirus.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 73b795ee62..5b962456c2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 01/08/2021 +ms.date: 02/01/2021 ms.reviewer: manager: dansimp ms.technology: mde @@ -164,9 +164,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u ### View PUA events -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. - -You can also use the `Get-MpThreat` cmdlet to view threats that Defender handled. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example: ```console @@ -194,7 +192,7 @@ Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). -## Related articles +## See also - [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) From 87d4839f8baf1e1f4540dc6fae82fa886c6b9968 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 1 Feb 2021 23:26:36 +0100 Subject: [PATCH 269/304] MarkDown code blocks & whitespace (ref. #9053) Corrections to PR #9053 / commit https://github.com/MicrosoftDocs/windows-itpro-docs/commit/9856688ff24ecbf4fe47f7446b9ef9182d2de3a4 A misunderstanding in PR #9053 caused the addition of unneeded & unwanted blank lines within the PowerShell PUA code blocks for the 3 variations of `Set-MpPreference -PUAProtection` and the console output, as well as missing the opportunity to add editorial blank lines below the code blocks, for easier future editing. Ref. PR #9053 / commit https://github.com/MicrosoftDocs/windows-itpro-docs/commit/9856688ff24ecbf4fe47f7446b9ef9182d2de3a4 --- ...lly-unwanted-apps-microsoft-defender-antivirus.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 5b962456c2..15e0a33178 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -134,19 +134,17 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell - Set-MpPreference -PUAProtection Enabled - ``` + Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell - Set-MpPreference -PUAProtection AuditMode - ``` + Setting `AuditMode` detects PUAs without blocking them. ##### To disable PUA protection @@ -154,10 +152,9 @@ Setting `AuditMode` detects PUAs without blocking them. We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell - Set-MpPreference -PUAProtection Disabled - ``` + Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. @@ -167,7 +164,6 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example: ```console - CategoryID : 27 DidThreatExecute : False IsActive : False @@ -188,7 +184,7 @@ See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for d ### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). From c38a104e09a6336cc2d137b81f58016861192a53 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 1 Feb 2021 14:28:43 -0800 Subject: [PATCH 270/304] delete page --- .openpublishing.redirection.json | 5 ++ .../supported-response-apis.md | 52 ------------------- 2 files changed, 5 insertions(+), 52 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6c6cd0335b..3e7809a16e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -2044,6 +2044,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list", + "redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md", diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md deleted file mode 100644 index 111a228fa4..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Supported Microsoft Defender Advanced Threat Protection response APIs -description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls. -keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.technology: mde ---- - -# Supported Microsoft Defender for Endpoint query APIs - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -> [!TIP] -> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) - -Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls. - -## In this section -Topic | Description -:---|:--- -Collect investigation package | Run this API to collect an investigation package from a device. -Isolate device | Run this API to isolate a device from the network. -Unisolate device | Remove a device from isolation. -Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. -Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated. -Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. -Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys. -Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage. -Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. -Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus. -Get package SAS URI | Run this API to get a URI that allows downloading an investigation package. -Get MachineAction object | Run this API to get MachineAction object. -Get MachineActions collection | Run this to get MachineAction collection. -Get FileActions collection | Run this API to get FileActions collection. -Get FileMachineAction object | Run this API to get FileMachineAction object. -Get FileMachineActions collection | Run this API to get FileMachineAction collection. From 995bec4332dc63e7076692a99e423d99b62a6a87 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 2 Feb 2021 12:23:41 -0800 Subject: [PATCH 271/304] add unique key words --- .../microsoft-defender-atp/api-release-notes.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 36327643c6..2e50a85b73 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -1,7 +1,7 @@ --- -title: API release notes -description: Release notes for anything that is new in the API. -keywords: apis, mdatp api, updates, notes, release +title: Microsoft Defender for Endpoint API release notes +description: Release notes for anything that is new in the Microsoft Defender for Endpoint API. +keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy @@ -17,9 +17,14 @@ ms.topic: article ms.technology: mde --- -# Release Notes -
-
+# Microsoft Defender for Endpoint API release notes + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made. + ### 25.01.2021
From 2b0b5e9648bf8c543b92c2d5d8a9dc4bb196e836 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 2 Feb 2021 12:24:30 -0800 Subject: [PATCH 272/304] update description --- .../microsoft-defender-atp/api-release-notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 2e50a85b73..441c3cbd30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -1,6 +1,6 @@ --- title: Microsoft Defender for Endpoint API release notes -description: Release notes for anything that is new in the Microsoft Defender for Endpoint API. +description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs. keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release search.product: eADQiWindows 10XVcnh ms.prod: m365-security From 541d1009d1aae85276618653480fce6502a3173c Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Tue, 2 Feb 2021 22:28:30 +0200 Subject: [PATCH 273/304] Update configure-server-endpoints.md Fixing the MMA anchors + clarifying the note for Gov following feedback. --- .../microsoft-defender-atp/configure-server-endpoints.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 8ac55c19b5..0ec1dfdeb6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -101,10 +101,10 @@ Perform the following steps to fulfill the onboarding requirements: 2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server: - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). > [!NOTE] -> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government". +> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. From eb6195222459dee2ffc2c10610a75c569c025cd9 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Tue, 2 Feb 2021 23:48:32 +0200 Subject: [PATCH 274/304] Update gov.md Addressing feedback regarding the MMA note. --- .../security/threat-protection/microsoft-defender-atp/gov.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 5223c1229a..663f76f5c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -74,7 +74,7 @@ iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images > Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment. > [!NOTE] -> Trying to onboard Windows Server 2016/2012 R2/2008 R2 SP1 or Windows 8.1 Enterprise/8 Pro/7 SP1 Enterprise/7 SP1 Pro using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud". +> Trying to onboard Windows Server 2016/2012 R2/2008 R2 SP1 or Windows 8.1 Enterprise/8 Pro/7 SP1 Enterprise/7 SP1 Pro using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. ### OS versions when using Azure Defender for Servers The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp): From 77a070d0ab26a071b41f91e33a1019338e744c10 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 3 Feb 2021 00:20:34 +0200 Subject: [PATCH 275/304] Update configure-server-endpoints.md --- .../microsoft-defender-atp/configure-server-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 0ec1dfdeb6..870a97ecca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -99,7 +99,7 @@ Perform the following steps to fulfill the onboarding requirements: 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server: - - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
+ - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard)
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). From adaa7e3c61fc32d37e0e9c6ae86b0daf3a32aec7 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 3 Feb 2021 00:29:35 +0200 Subject: [PATCH 276/304] Update configure-server-endpoints.md --- .../microsoft-defender-atp/configure-server-endpoints.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 870a97ecca..060c2d575a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -99,9 +99,10 @@ Perform the following steps to fulfill the onboarding requirements: 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server: - - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard)
+ - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). + - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). > [!NOTE] > If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. From 4bc30c80528db7c70358245a23d90b55eb776943 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 3 Feb 2021 00:32:57 +0200 Subject: [PATCH 277/304] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 663f76f5c5..3ec12f3876 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -74,7 +74,7 @@ iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images > Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment. > [!NOTE] -> Trying to onboard Windows Server 2016/2012 R2/2008 R2 SP1 or Windows 8.1 Enterprise/8 Pro/7 SP1 Enterprise/7 SP1 Pro using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. +> Trying to onboard Windows devices older than Windows 10 or Windows Server 2019 using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the [setup wizard](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard), or if using a [command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) or a [script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation) - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. ### OS versions when using Azure Defender for Servers The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp): From d5114919769e1c9ff06d21444fe86603bba5ea2a Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Wed, 3 Feb 2021 00:33:10 +0200 Subject: [PATCH 278/304] Update onboard-downlevel.md Changing MMA anchors and adding Gov note. --- .../microsoft-defender-atp/onboard-downlevel.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index 8bf4aa0e07..d1c3d64aac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -83,9 +83,13 @@ Review the following details to verify minimum system requirements: - Copy the workspace ID and workspace key 3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent: - - Manually install the agent using setup
+ - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)** - - [Install the agent using command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script) + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). + - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). + +> [!NOTE] +> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. 4. If you're using a proxy to connect to the Internet see the Configure proxy settings section. From 600c87a35177d6b3e6a3d7ab1a889366feaec635 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 2 Feb 2021 15:35:53 -0800 Subject: [PATCH 279/304] Indented a note in a list item --- .../microsoft-defender-atp/onboard-downlevel.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index d1c3d64aac..bb6315accb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -88,8 +88,8 @@ Review the following details to verify minimum system requirements: - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). -> [!NOTE] -> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. + > [!NOTE] + > If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. 4. If you're using a proxy to connect to the Internet see the Configure proxy settings section. From 1cce4fea20d4e5be3b494a006c8887283e6f226a Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Tue, 2 Feb 2021 15:56:18 -0800 Subject: [PATCH 280/304] WDAC Intune OMA URI document 350K limit - Document that files deployed through custom oma-uri must be less than 350K bytes in size - Change warnings into 'removing policies' sections - Remove line indicating support for Server 2016 --- ...plication-control-policies-using-intune.md | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 8eb3de7a42..1f84641636 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -23,11 +23,8 @@ ms.technology: mde **Applies to:** - Windows 10 -- Windows Server 2016 -You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. - -In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). +You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. ## Using Intune's Built-In Policies @@ -50,9 +47,15 @@ Setting "Trust apps with good reputation" to enabled is equivalent to adding [Op ## Using a Custom OMA-URI Profile +> [!NOTE] +> Policies deployed through Intune Custom OMA-URI are subject to a 350,000 byte limit. Customers whose devices are running 1903+ builds of Windows are encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which are more streamlined and less than 350K bytes in size. + ### For 1903+ systems -The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are: +Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. + +#### Deploying policies +The steps to use Intune's Custom OMA-URI functionality are: 1. Know a generated policy's GUID, which can be found in the policy xml as `` 2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -65,11 +68,13 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [Applicat ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) -> [!NOTE] -> Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. +#### Removing policies + +Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. ### For pre-1903 systems +#### Deploying policies The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: 1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -79,9 +84,11 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocke - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy) - **Data type**: Base64 - **Certificate file**: upload your binary format policy file - -> [!NOTE] -> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy. - + > [!NOTE] > Deploying policies via the AppLocker CSP will force a reboot during OOBE. + +#### Removing policies + +Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy. + From 2beb86cdd0a6358b3f0a67a9fb02f357f9f2a10c Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 3 Feb 2021 17:55:27 +0200 Subject: [PATCH 281/304] Update controlled-folders.md Some customers opened support tickets wanting to know why CFA blocks did not create alerts in our portal... so I think we should add this note to avoid customer confusion... --- .../microsoft-defender-atp/controlled-folders.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index f193b2eca8..34b3992bb5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -35,6 +35,9 @@ Controlled folder access helps protect your valuable data from malicious apps an Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +> [!NOTE] +> Controlled folder access blocks do not generate alerts in the [Alert queue](../microsoft-defender-atp/alerts-queue.md). However, they do provide valuable information that will appear in the [Device Timeline](../microsoft-defender-atp/investigate-machines.md), [Advanced Hunting](../microsoft-defender-atp/advanced-hunting-overview.md) or can be used when building [Custom Detections](../microsoft-defender-atp/custom-detection-rules.md). + ## How does controlled folder access work? Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. From 29073bd634dfcf3fb5c21fde7694689c56762e97 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 3 Feb 2021 08:39:19 -0800 Subject: [PATCH 282/304] update sheet --- .../downloads/mdatp-urls.xlsx | Bin 20092 -> 25191 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx index de1ec91182b84f43093aeee46bb6ee02d8b3d2e2..136c11b15d47022e131bf797785eb4d226ef1590 100644 GIT binary patch delta 18236 zcmcG#V|=B}7Cji-w$rh#j&0jX$2L!FJ007$ZFQ`U&5n&pzwfTbddmbp8U)5tkOl=q1A+j80s;ae1{&UA<{btG0*ZvH!y*O&OscKht~0{< z5Y_@1@3;r0It;NwIDJ;Yv1+CLT?uvfX;+wMxc2j? zW~$k=7U^6COv8>%OQ6dDpegH(3&^MFw2Jz2C4XG-c?*u9AF(XIzed4V;$!Nw-?*2U z7O%30d??7ERCIqjnMu=7hGUdAJbn(6 z3zZv3tbL|DX_Pif3-=_t@B>V^=hj*6wN>9pydEObO5zQbdra33kokc+XNlZj&Wpg@ z$l4}i3c0j(_I;4SrAv-DK_k_^HQ<%|em0R(AZ=w=xG07>;*VKLl#ekst8m*Ho5S&R z@m3#iqPLyPL$I?Rz1TyiT@jr316)&@~t-MK&Cm^Zj~^O z*Nw?9zmXLRXGYpW5N-xzKn%7s(C13dj-+q;2Y*~2P~Zmwtn-#P zYW6HV{zdFTy{mx9LD2L_;TaP_anE!Q%54u&VmvQe!wcvSP(T;zh@=515D>!`)reng zyIV83**RJn+1XjqyW3b-s%qO+a3cBYTYQ4C#ZEIQVr+i}UiWnX*WP7MtlwAiehGXx=0v|K|()zZ!cT{imQ zeGuzgBOuB)7apnrS!`+!t6s+6dn)s_in#KN9r*J0r%O8+%;OU{l;Fxiw|-5Z z@zbr1p_icF?n>H$piyfXIxdqVFR9b}%FHaugV{8L1jb`Qz>ea=D-rpjj+?3G_j21S z*Eu2@91D-T&mR~3A>O_k-!>SqLp!GtldMCG0o?m)>)+?9O>jrm47`x0&l)-6Xivo~ z2rZ~i+b)B;ed69lkJ}-}+3SmtPU*|0?pw&RJR(I8u`JF*L(babV3R09vS@dK+5`!X zs`E{d*E$V?Sc^ATU8aX794&I;|#$01XjgUkwsHdI5*)pEh`)gd z8H?UkhsRH#{E`eq82lK-5XcH~%DA&Vx^$dscIT@*(E|WaT&qGe_@5-vQW& za4jN)^Lhy*(8G+kz>hwgbTyZ_E_HovXK&zPpAX)`;Yc7AFKA4_Q_;rq>LWmyM%NkT zo%-Wu2_oGd@|K;!af(U|=7M<=<@(5A2gsBeGc-pAeNaKR!Fl^++7HT zxH1#zG#Gee@9l&k_K%H6egDxYgtZY>*U zG0Mur#s=WUAZ5#~0l&}>^>u4`#Z+aBP_?2O2*o{0Tip+8QhjGb)#z^k`q7cTmb|nM z0SJl)##+U&io$XOI5H53K(8N7ZGT!<8A3Ndoxgf+9MxJMy)|4r*8S+1^O+4r6tabZ z9A1#$74ttsX&zWqu76%N7+$H1hD`4u5mwws+)Mj5z$!+trCG8VJC8eeO@ZP$pMd0* z@LOyyCTJy|wKF;>N=rTrUsA~YOiH6ANj6!XMUES1H~nD%U?{Uo)~RQ;7LUZkT*ac&wknIJn8&RkfffE_6;OobziNP?pfmFqKcLd|E<=CHi?uX)C_V@Rj5~KmYlY zqu>@1%~k?9a>d~IRm<73;U`k zfs1o7*#N-%)5rV!#PVZJPWI>9bI;bt+Y=-2+rt^Z{^$GIgB^g79kJ)#{qw1|$A9bN z_3Ztqhkonx$w$bx_cfNk`~CKI<`v-W`N4ki8f$SBi#W1A9E;dP@SX4T{^a_3KtCs& z-y3w#$taV0_!qNYTAc;9KFVHMd7TZmS#_NiHlQY)iC0bZf$l&y4^L}cG!IXETs1FK zYrIq;TT4oTGBA!kfJHNLk?@BD|L-@tZ(H8viJ@JWCxh=#wN(``!rv*RSZeL}$(4(Z zcgcQyklS>=J7u?ComEZ>J>8e9Ap3Tak5>~&Jh_Y|A#xhkpkR?Bks+blySFZyoAiWB z)C26YKU_5weDiB4b0~{%((|cv*xAP;3vRzUz{{$ULND{qPa8LrQq%(}01E&!0?~M0 z@4W=|-K`$YrYt^B&mYfbU#hnor^pNv?oXdJthUok=3;026}-gB}E{J#PVB zr+XdLjptL8S!FRz@M%F+&ttH#D(GlU0c3gL;3^&@SHxY08=YoTiMl~Yor(5ylYfKp zayq{Hv0Lq)NLkF0p6`{|%)U9A0VHosY6qed+$o7RpCLoFDPfQ#5GNqhdy#Wc+?+l$ zeb{WT&CoWJ5Z=^dD^QfXvn^=?yuV z-{=%5L(U}1&J=S?!_XdHhZb?DI>DI|X!GGRRC50r#cw2h{dDtUa8TEQL{Wx@l06tj=9<&SLD~f)4+wCVcHSKc(XOWE#pM z1ZNv<%4H1ss}Kc(hC`$2uo)$#;{>W>dF6@ zW&!BJ3s&Y5*Gn4AZJxnnY$EYD6!Ysue^1YhtGMn$d8mF(lQ}}aR^0}6=)S+s+5yb< z?^q;7uhu)YlV;MpE6pY`Yoj=vb`!-D*qMj);%?s61J$EpK7t2p=rE_j#%&3Y^>Qhh zN2bbd$Kik6Zq|gNK;Psl^Ys+Wu485ZJ6;rI{4~lt!D&jNmru-g`U-8$!Af2`8qJlD zkR+#+6w>l3gm{JonJ*@W+UK0HC{t`Qu4+kT=Y##bsujY`oFsgw3u20;6mmplhtI5Q zlhWzzEq7$EeaIJmbv|_id{PVD=O-yM%7*%!TYp9|#d}A*E%hmPF=Jdns$$UrilOqk zvhtTbiObn2a^UM^!W2lSw7Sc+ZA?=1AYa2AkO-6si}@QLe)Om3U=)9jt+vl9QgCu2 z;|-N&%k_R6`oZEDV4STOT)>cD_w}Xkh3duqVnrwH>N1|C89cxfX8qvCs%B`!#)45S z<9*@Vlw$XH5bQCVK%C8ru66(*a-4$WRUUa$dBiQ$5q3+yK7B^Qv&s%`&VoQxyiBMV zqaX6(hI_}9e#RN;9SE>y_--H%^|J*s!BhL(-X1zL@0d}h8EtxI&I`~8a$w?24JC+m z4tK=8byJP6NR+dg>5g@!GNufeky7~VPF>pef>|#pQd!WuU_vBFLqUM->Ve@|7oZXL zzDw?05#xaKSt?~i)Tb<9_P*;mpy6`a-0xrxAjHUFMndwjUpSb)a40-tJ=K9oEque< zztKq_7yN#qcv=g6R^9inQIT5}-Au>&D2Nj0_3IpYq!sD-wGQ1PEsnG^D5OoGnqVh|{-UmeD0b zKKNBJ-tXv{r}4nVe9{Rst_W$Z4kC@RVL_{|Jy8MP1xS=CZt^2_g zxV3<{SAMKj0VSDFCfV4TQd|GP8Sdu&dW|*l#qsoU>3=;(+VISr>WeXp7Bq!?CS?dJ zQ)+MMgA|aQ^e+a6%Ng%0NyuR7;Kb(5+xB|Z>0JvUG0t_wn_qURA zlFMote!FreFvPe550_VK21S80$r1gvdZvJK(0w<4yR^r$H#`{LZMzyLtXPpDPJxNN zVzJN!t^H5b_$VpkRSJc}Ns2fTu_)8Ue}l2SM7P$d5w^E3x_%v;au$nRIGh=sJz@)Q zn`L~KzE|TOfc@nRK3V;B)1~)yUvejQ-w5IwqxO$D(EQbgza#XEInek;J2rxRv7oYP z#V$qS{}Az)2a>mGVZawmH=uv~Y9+`=-r!4zeK$ssR}{^tYK@(Y1K`fb zRgMM2l|rY%>?b>Swsr6`XZ!vmbQA~j{E)3L%Ca#@vD}eA9Jv7rv5a3NrvH6zPCv`? zt0?$i+;Ev{*-;qefYh!+1C4a@Vodil*cBO`0$6S(UB7hx*8wu#?G03n%{Ld2aXs=D zB$R(WUFl;p{^qZRmA`*k_}8DD>#vv)A0N?ZhGw4EpU`W7PCyMq{VQE$PhF&afyNmI z6z)mpGI7v)=`b1F5?7_h8AS8XP3LSG0?^r<|Hx>-77xl_i?{}ehXaPe(zm}bL&t!9 zVTNX|`Ty#Z&r{{}%5o}xTd_oo8I>93KR8j|HsiPd;za$&6ToV|Ji(sKeW7j!%(JHF zoGs`7g;P1>ifs2$dIvyT8N=zpKXz3rb0GPF#K4(xQ=nldP+rmnu4$X0kDnP&4Jkwt zx8BC_S%16N8Di&)Ww3>M`e(n1Hy!kqm-E#q)DuoQ2XBCsPP?tIcX(eVCw7M;sXAIy z{(iZBx!!|R72#`XMQ@D2C-^C+_gbcb@L~dYN^2@?Z5tggtqCxtH<6)Ii2_!_Rz}*3 z%Igvn`kQQKLbAhr?M0mJC(qP&Xy1M?h@b5!(*Hhhdllqul~8D(v-71*SRT# z+~nUhRsSe*8i-P+`H-0^yLzGU)p*tPNd0f)3Qbq+PzFlf33@KlfBc`sOFk_7J0&r0 zBdwR*X!7|@1_?uHqdV^56OYOkUfU-<;0&7$$8KMrvd5CFeRLGayHBs_{BAqrpA;J3 zMZr#(v@%(LBx5~p3uy+oKrPjx>s!rNdkzzBk{VmbfYp$_NvH>>Qo1*K~`%oqy+H zK|TQOiFLeI9Vg-XT>27lZMAyh!2aK<-0)GxHfTPGwCloF$P13;P>2-`S@H0PeIGlH zM5$t{r^<^f<%5*#@=cPjs2TisQC;~`N3payW_2bWXT2z>rG%ehB`VLnOr2>MS58Bw z1i;UfauKQyiVFI>9ud9IM)OipqQyTWsw&NczNq6~g z&k?75$oI$LrT=Y;?82bVgk>h`LO)nO!Rsk_a@sC8Dk1S#u2lX=mWm%Be=V%S8}r+< z6qppMDBqU?`W34IjCcwsGnWdb-qp)7pvgeP-+U2YNsiT9&NY7s{X!tazgiCv|jQee4Zp%4l3Yq!fRNh zL`*lR3i4gQIu-kGr(<88ih-BScD)GgcDX%)C;_wt=iCD8nv%1=tB!J|bQhMRCqx6= zp9W@;Q2*OMRHW}|c&XcsmI(M527V#T z+(nU>%?piQh(3E3Bqh!*)tEnVUm#>On@rJ6#?9v`dT@Fp^dDA4a^}(jkI4th5socH zie0KCIe7t%B%bAs&V^2uc*iV(SR>!(l7+}TcNfIlMXIr^4*%mNciG;aH~Y$QII{=h znEC=*r!WRiPNnLEf-*BnDhY3L4Pqp#C(zUn<*_bf*#9!M>IHH-hN>WFX_}e?2V$Y< zdeBz#<`d5Xux#9flGJBI8IyxX_gbv~ul-HF>`x&tv?!sSz^6WkTCNnxz%*{sT-Yu| zvdB`>sjM8rz#k^?&qS6aZq>HRC~`K(jG#$-Djqe-$INhp8*|%Hf=<>W*92~){c3Q+ zO=b$F>ZSL!PLon~zJ6^E;#ipe2``}lkZ0GQ|NXQOd^H(|XVq-^$3Q(zvc$t=x@qcY z6CC@Ol=ySjiD|8R&7DX}me6*5&5gxE(6uP!jeb`%Bl<0AtK#d`t$D*aN?Qtd!};HQ zWL22lMUk1EWItYSMV7#qh+!h1QDQeYeWvm}RMEhWzobhe+8@}M#UBoc+HLt$GrjC) z6g>$8Hw3rw=a=LMVvn!)=f}sv+3T|WC*=P&c~oL#VfqE&f@@G5f!3)>BuZ#F=)w9> zW!4*6G$@3BQoDPW2)(Z!yl(ErGp}XKsd*BLVU;QeK3j$ob-PVe;cdA_Dl|}UVK|y- zC#17O;WyC7smdO7dJ$)l)Vjl1E;=z{X{uDJgQdPDDl_8cb7)lF;_b-gcRwrFKUN8H zHG>yxHr)%D(Qpe5C`&M4JQ?rI>&;x8Ys+65w8g|oRABzI(FrcU|KequXh=c^NZhhp zCqf$8qPPGEbgqMaS{ew+)ql> zSlt`_s4Ew?7yWB8xEPgga$(pKaJaK<8-7-4ut+%N2^V=DK5ARp+!F@x0XAJ z`<_#p!y9!%%5NMqOG1$JOvi3|fY^_qYuJp}W7C%@6YZka-n|GRN1yz=B_{Z*0XM%mdumF06Z$0-U)(D$*$xJ8 zgjn{QW|GmM*HN@Dcl12wy(DCMGuQ%UsYH)SN>_HfKc*$rH?D`H0H1RYad@^AEOmb#UJaMw zWYHN)a(3$-HqqbPxE?ySW^`uZJBifcHr%{cviHYS>(Fnce_fvq-@muP5n_A`{CAArYoj%wJ z6#4)S-DR+h3Sh+~H0qan7Np!6N&XQn|4YX^j99gREkNnnfmr(;Z0aBs>xP;itmv(E zrOG$p@J1M}j7No(@?d1h_8yfrmC#6H3-RkyHCKK?r)T1jfR`R9spsc#-K*h4lpv%o zXLBw!yJY7#lc1=sPaD)bsQeMXR@nj^CCL%Q!>|@O6BMZUY_d2{2U60>rIC~+a+q0V zVO&a%KFHqj`s#7&5vD1oSz&R?3h=+R1;X;sp?Yv2pmvP^))oLPe`}tZiPCljj7TG2 z#RVRX?!Z1?l>E4I$)M(zMN2}nku(Ev<0V&uMa!O71i3^tDMUqb1Bj4MyC3J*Z`Xy~ z&Pc;j8>yTKq){R>E_AOp;ee0Q04lMiy6zuYm!jeNK|`^Tp$xYL>^$o*J4i^L+Ph0_ zhGJm{RSJ_Ko&Y315gZ#drz^|mK?JedwMZ3lbF>2yrqw+b!ylK1$HnnFm26uyvmGph zVKH2#Tg{HOm_K(Px6xQS-jVF9AOx&UC^jNPjS8R6J=U!T*zxatB9w<`$9hF~Vi@^3Av@_7?tX**>hv3T{Mp1$LBjm0en2|u8kZ5LI$n}buChrL4@qGjmXl}az zJL={6%;vyhRBXqraptM>};SBGW#6uq= z8wmSTHGlfZwGG<}W4PLdbY5Zq^EY`A`GZhxO+PQ}9_#o?D0Dc(6aW9Q=bvWyw{rBA z4jlXf{Qb%#3WXR@L}`l37pmB20S_-(Oy7R|$WA=3nTjEJi1hGgG3nIX+_dGFZ<%*^ zbN_64-gY%ZzF(t?4oi_#r0Xi>{vfoetx{0{zM3d(dh$V3&(Z5uo-8m4C|0qD1iE+M>Jwmt{F2pXZFIXBZ?|R zGn^EMz{x5Ub_poPcHRAgRiA1*E)|M@01>5{Az?s+wx`!wJesS3lapAmV6ZPr;@t@* z0q(R{&5^EYPS2$rV*Wjf4Tw;>3BnXl2l^qjnkh5>I{~Y5&b5|05bdazkUnExvMtg# zcl^n}JW0UgJ4!!|`R@S9XOa7eB2*QRDbC7qlMx^PHbH5Q_-;Fp?&bJ^@=d%oA)_WW zh%mXiXTu{HtyS!$1ao-3JSRQXW)AyAk@Ofm^o_m@8R2B31H9&6S%6_P&SSjryGSKJ)Kya59Q)AvclpCJkd(K*3WH_up(>BIJ}@nuG(C(axr)X`>@<3pIB zYjiq3bE0)$2(3(Sl#RtgZ|3D9RM!yIzMiDT_z7e%SJ;h?S?Sm-C1z2n=Z*8qXM!Tk zc2Y}@ByQPdOLiOq+&X=^eR$fPj8RSbb_)sfk6e5Rjj`Bh^z6>FGgxW|%t4Tc+|zAF zQfzSj)O(QC$rDIFSi6W;!Y3J_%Haa9wAxw?#BSe@ps$$%b1i?-p;a(DX+~q?kIPed zl-Bza6|nq4f0G0Ew4~%W`z7SKnpH_yIzAcRiE$IyYUvONP+3A$G0kSUgjt%w8+Y#E zz6F^`T!{4k8HiDH13vB$Mm168cbD?e_^;Cp_g>woMg|oKl=n3xM~YbCsQWUoDQBR%+`P7y$}~e>HtOb;0Zq1PF){;(waX`v27Q z3%6Qt$XghAMTteS=;jvHrq~AK5QCxN$_w7|Mc+q!iT`Q(^AzCx`tG9?eKpW!u8}-? zAPmJkxXh%3>STtn!ayecwzI00nJ(!L9Iq?K=bf1ktHTA}k3zy+R}%M62eh#qYi=8? zEF^$V%+i?c@yU{7(gnkvjm%;wfpR?ku)c_*e{i#((S;72HhRUv{2kgz&>{9kmz2k? z*unu;&Z%R=#hJzgnrCvB@ z5*L{xB8jFjCy2ac)CA+F8@8FWCJQ(v=Z$zj#LecVb`c(RkzrjV33tc5MOLl3CubO- zAs?qH-Z`tIS0DT-Xizr3R-x3IIJ~ zp5Uo6IuFFC7gmS57{i)L6oiL$c~^k{TgR>A6%qQ0;6iGIJb^g4*|UIAq7n6sH8G9? zr{OY}TT~mE_Wgt28n?s&f*svwZ)Mlfi+fin1;Eh#d_Ox1HVFDoQwBgwAQ&Nc;5j2G zB0cgN#!f4XM5kDQ)xl2EBY<5|UKh+TOV zeLxPn5pIL#_|)Sc5U7zBSuE%j`VP6<*bNK>+z-huer~SnG8zPWU~&FNqT<&0W4y`I z!E*kzG0hyTzVEqGN0IMH8VOPlZ{~loDDw8gd%I@g737HIusdeWLAx4oz#m=0TjI?bK#X8Dr;!_^N=#fN1)Z5Z%P2yXAxmvR(FI zD`353dRM7IPm`S+&2$qlqO}!PL~gcRZgBW{CM?1L9WMxmfX}!3EkChU1B$jEwZ7P0 z>eb!qFIpeK*~Yuz!AAF3i^i&GP{mpdTfbw(3V393Eyqi1`T@nePCY!$nC77vs1CXH zY^3H2rqcjWM|Lnbpgsj`xX^)k&x%rN7D8aKZVgc&xpR6|pmaMov6;2oJr>axUus6v zG7!~aSfrk|J^EfgNHN_!l+pEKV^lh5gM;10pC9DYA-l&&Am6RI^$dItR@x=2oEb^D zQQo*)ufomqz&EuR>D=H(P=qkAmq)n*`cNS$jwApGUhK!fb5)?nVX){0x|zoJ{Z3rC zYsAG|ConJQrOO#C&9(cGprbe-mjy(O6CM&a{hb>j)foPVls#=p!@9Coy;M~&*fBM} zd9f!(2t8iSpV&2Ct~z=-8Ri1zpxn!M(6rC|yD3H@ZIe;x@SO^=xs|ekpMqDkyVfW?Rv6G+1+svXYKg7gM2OG@1SKMG~hpxem283ZT~1Y zM3)O>3*6u*t<(%yqov9~)n19nYB(ep&GUSk??eWJzqk=o1y-r(3RS2=DQBZ73Dg4Y z-_=7=O?_hpvjX0Nxn#Xlaib$M{po4eyQV-Xs%R4>ox=g z8itJO;c^!fDg930Wpv7Mk!uOw<9ntD{mEs^NAJ;b-|B&Y(<$4LYH19y3 z88Q7)FdfW@HePS}n$i(Po3`^rGP@8&4cvKXF{u$zBcLHIm9`3@P08dg-PAnc$@UU`8;V zRu$e=W+3CJJ@go^a=SBK>4s4-gQA?m?=}a)Umo!o5|xO4wgH~_%JbL9;}WTR+h?iQ zJ}J@Qi>DRl%G>TFW7PsW_zM@9x5YIi-E|>65ic(Wdcf{f4ekFu$hebd$)YQp8E;@mcI`*a@`3t&+SiVTJrJgqhj=YCH%4nF2LWtVHRzOob>Aw z&xv?|Be%@vM4yaSc`~_yC!Fx5C=9BQ7$xFc_?ERe?S5sYbOEj{R+BmBA(S+-DD{dc z*=^CayI9~86n~py$~fpc$h9$hKW}8~cDJ;9+mV-b%5900DjqLb zkC>~mkm(d+xfUCTiLJtA-4v=kEY7P>6P9t%q7)#<8CQYsYE9p;axP5;57x{r>Si08 z*cl1O`u;ghUjqn=aP3((dpkv99} zoo)8Mso;zCu%KOdFSa(IEU!#Rn4SHDw2guP1Gnw_OTa|Is?D3UFz!~a#;B(6Jf)4@T8Y)LSR~i~Vms~`zfj+jXr3?$HPmA2|yjCo9ARTHq z2^N}4Xui5^;CdYtD@LmA4p;j5RlQ{He1Sn|_ChcWTu=hG2n!Ea-rM zzRq3#vvM#ubTl! zE0;63Hz37aJ4~dU#B}8K><_loO(f-d!aAZTPB0!q=}&|A6kSvB=UV3c@Tj2Jb<_u+P;9au%uXv$7~=wTtR0+Yx?<``R2{rMPX$uB zI*$Ys)t!;L06j&{9-{&2O7NX=~GwN=8GvN=m5`{(dD z;IxrIK)n*Ji%C-DSEJELX`$?zUE3Qx*Xt&)LnNd!Xo|d84pU(!^(REhSM~+51_bG$ zSXvp;-Y6p{f?(jP+hs4jj~<_j>?{5q+8bFkkxddnDJ^mSU{L`t12mif%a!qufN)Gk z@K*y~78q)R7h2Wv+DxFxVE#Sk1tylK9F=&$Px|l+i8Q(x!ARU;<=?_XlI6P!d%kf@ zv?NoFeGJBZ&LrM6sgzpvl7l76-bbEYrQ_#Db@ry!C>IfL;nTPbnq_{G>2Z^xd2181 zvf>5Wj1)yz7slHtZttP-s$gE4C?Hk1oMMZpPIJ_VBnRu~D$jInwazyUy%^m>t9mGa z_z-(>Ar@XBFSPiuV98W9BYSa_n}NpwQCX#L%x+d2L)Ygq(%*-~D!=VjUz3?-tNiLV zErW59Qjj_!o@a5DpODm)6o-8*Ts>)doyDa*v*Dy5UkXoHyVe>|N*v2-4~^m{<9lZyt4&I|wz}%@3-e^_WBS$Z=~)>NuII|aAgy` zrs93x>5IdfhBaPc8*=!ySYcG_kjzwNiZFQD+QhBi2CHe}1_t>U&euI8^PRm5df7m% zI+63a-k2E`l0Qa1O!8O)gx$;w+1Yq7dn9(m?qNb-wxBi?wsdgXi@Hx9UWysO?Dl?2 zZa7Q3GNARl$|EXllA)}==TN}m9)Ga=I0ydE|d9VD*P z@niQ%D2zOVBxp};JCz`*sz^0?6E21dMmsOpP|>Ig{L-Uz;mpbd)E|ACjMiEHLOE}S z0)}CI=!O-Eyy~vlA@|kMIpoJ{vs^5H}s) z0>>~hq*)7O{#L9aT`P(O{#_n;F*AE{gUHr3u;I-y3uQ~OzB-$eXYHi=RHQ@?s9i~U z29i>`#h|g>r*vHkKzVQ^J@5I=-Q?jG_>K2|7EVG#5l2e={m}cZb0I*?Ay>Rk<;KaTd&2e%qsLAil<)J zXCEKXIKDC^`^E4vtnyk@UCIEx;mvf+EHgnxX$sQwlLlz;)+K7v!~EjCc1An*ofFdf zjT$hHoL`GDVEdlesLd6!cN6JRDR)3Ht)MLtN)~tII|1aPyp3Oq9=c_TL})QguVC+b z$j*70iaGUD6woc;Ps_W^0R0s00{dhN!XNRFW+;1++)PtW`Fd7Gjq@PbmP`C0UN%y{ z&wh(tI8hM$p$DGc>vxEo3r}@flV3ET=`r9^4=+wMfMon?+dyL8nQxHwRFIHH=b;U^2Sk@L8W+@ zF(6sX!+9&*S$Yj67E4E9Xvz&sWqwbW(}l<>rP5WWrb@Kh$*(N;X&i)jd`8C+UY;R1 z>Qm}&1DYrnTFI5NGwmpE0^9d%bxQX&h>3&mbNk-l3=~OQD8Av6pOB+_k?uGUAZ2#f zmvy={=vQ9^3oiN|>w9`a1TC;nxwV7=#T9TJncskNG?dS;9xp3ot9`VWF!`p!?HZ&> zB7RdTVt=~AH!HX%XqZVV@n$$l-Z+K$Znse_2tXH>ungrkgd3KMSs;$n5g$~*=dcQ- zdfhvJdGK#f3LQJ`*cX#~RMu_UUZ%y&l3^_v>$-AKnZHg*wAaG93=9z0y5#?1v+toX z{)p5JC#3mvWJJ8^_n}Uy_(|tI{&@GiLT){jabLHDrCVZyb774*$kalCivN8em$*7S zJYXN&rKPM&xp5oETypcZ)>WZ7_7Q5skt+^#y~2hvuIduz1P;P5V#zVeXxK;7YczF- zY5zhELct61pl_-MpAOU-*LTf zd_?Tq3FCmAcwh!3q~MD7TSxaNQSxy0JC^Um(>4CSf+**8M0cIEcp~GBF(fzCDuDQ+ zNRtT7d3Pw5IXWE%C$d~zy7}$&a8v@tLD)RlH?j;iF7GZ%acDLCmut+*a(t+Q{|j}0 zF6M_HsiHIE<+_Ea7hbA#F{4#uw(zRs?}}$USS8PM7S2o)b46oe%9C^6wEUeYIDcaz zv-Y{Q`(E@XVYigWN1WIb5FM)X5ORg~ z8!At?OnZWU*s04k5xX@>8GuC@18gi_5Q?CIR6ow0or5P8*|rs)^{xE%2$wW7y2D_b z0BI=&W}uYvU=nJPDS|$yp6#}~#c8}OddQOqF7A%`&AWj!br)36yC&wdhnK}^rRul& zYL8~G7%*0KcvrU#fcFXnFRpB#5>-D$l5vE=d#P@e)Z@q3<WWtJQ4)ulL%+6GEhzh1_ z7)J2{rMz#CritAkV8?TkaT2EHPg@06sh79*0 zgi05oDpMlYGoE4Lsz)g8N>}FE6SyR`aXeFpo1S9dI3xpSg<&-2xy{reelH zL6wdM%g_=Hy#azo`oQr~o&1$zhoSo1rE*eV>0u-{$|T%QI0)fRI}5$&sgI#L<{?#W|MSTeImP9bRldi^MWRHK zu)L|rDE>PE46@Y#=RfXL7CSGN|?$Y0hK8h{!O7jHiEBFTo>*^|VWoq?A^+}bvD&V_>2~GYrY9xf5x|BPq7>ZRKj0}*uVRqu5TfL|&vtBv> z*({G?xGXk`3O?xX-RU4j;5CuGq=IEh*B=Bs$TdV+04}VNOg@d@pn+-pK;ZKTH42Ps)~)Y+ z&))xwT$#E8Az4jn7CO@y2n%c06CiHb^rK9h-yrWIi1UHEY_psa4Q+@lh%mtX1x zb40zDmI~zrjYjMU=0Q%G8X!GdL829t1UPlY)_V!sHc5f&f)o~F^55aj;1;46G~AY} zB5raVR|?^rrfUp2q}&T3O~p=^PT`@Gdw)bw?Ojlxho*Q!f!*b*V=ch0tM=;#P3=^H zvrvK&iT=7$X_P1(#gB#8WthdQ02CP!GKLa6>*{U#fdI3n)WqAp>q^lj~HXv6F2!0eSz7^5S>_x-qnow7aYy^}oC z82{fNVE^o868_~#$55OJup>TRy&mb3f00FRU$=Xn)`-p}keh zp+>aPVMSQ}(p#bremgUBa;$lrb((#x3uArXp{ChqpZj0$v*%O#uzsqp!}~j1_?&Nl zOM3Fn%irneWWU)Ht@oSmzToHfVeQ-2g2w`Cfm2$Qr*qAbxR(4|Uq#v6{+n>lSBpY* z`KJnZ3m-Bays<97+-vsDP)0sAiy2?ce;%w+kWbCta&_+RPbmxES>5d7mrE9r`l#|e z_|Bi0?9NAsBCpX^v z?jljY@X|5;IQ~5cm+lr7t^K77N*KB7I~!OD4=TE zsM2S+X7MT|m6eM{9u|AW_vW>36&F>n_s|!zTW;Q|u{Pk+2A(vHF2zM02ZfZmKF?CR zWU%SfqZhtSyZiM1Y6%}>sp|Ef^r zRIG=~W|tp&YQLp!?X~866ju7{?-ZQ}bMJiB`+olhzoT+*>GGQCg)=r<|6`oxeoWGm z^Z)i*?q|`<-P6C!?LP}ybg)^-Q;(4gaY)K!FRwtx|C8r<$w{N1t^piSg@V+{SG|;^ z5j+1G7^GlQVEWT!A#Yt7)a~!c3T%0yo8cwJQ-O6D8xLr`12T}Eyue#q26c@aviuHJ zkO7RwlMB5?WKfq)AS+v-4OV6XQa1Utw-nPJy~)qLRb|j;m=Suc%_eL3$jhJ)BqJ1* z*iBCMabU{!nmp55b@C}60U1PFlYv1Qp%BPw^#&@E2Dp$)R&W)YEbk|vhh8)w6vak@ r2fa}W3b5z({iK*KL{C=mloku{W(BS<0U0mC5DHvD_y;)6&cFZw2ALap delta 13417 zcmbumWmH_vwgrm2ySr;}m*7Dgf@|Sk{2;yD-5A)5Dh;RBJ>`0rKc{eDdk5*+ zHqDA>DZ!X2jurBoO;-*R1Ciq*cu)8LgdG9wvk&2{pj~HDw;|27 z$Mqmvzruc2Cb1Z~e2cr5k|nlWmeR$W^3Lv8ZQd)h4abeW30Zvy7~Ic6#%+hm^ME;E z{KL#}=Kgi8y^4+c$|qE{7Eg$h$%%_H-K3?cao5|N&;xZGsvo~ko8S5n(_e$xx2mey zmdu++69umrrybv|Ds;rOY)iGU5n7M=E-1o#nQV)=8Fqj%QmTVm4AmTE1BKpYdL1Q< zJr?0lNdF+WsJmu^{owBb{cKJ-(e(=a3S+M()8`(40(SZr0WsUFJ<`v)&%{eNp}ZfL zC}8U$lH1!dOy-N2MB~$Psreu7Fl%pNKfGHbhhZ$7iErG{)7qdYwV;RK7u8%@q2g=W_# z1C!5j21Dj7lKIP8rR;p%dv|{{!_n=YiG;RqA^}af$sjcZynNxfvEvNwnpTwVRSime zdS95EB7U^7J>=Nc=2BUX&sgup32HAa5%Z@mJYxZ4nx%DzM(2x z55R8=P`}TaWJ*dYNk;0ur%DIbf34rzFthmAvKsZa9Fvy0e`SegnJcrT#^bc|f*JAX zS+g6=jY3rKD%nDq8JK$jjius1mv5eFM9QZ~bY*-mUZ*EzsSlc>An*3aQYJTVO`c?W zE=)w~$SK^F1UAyeV5pH=7v>L%z0d&B*4ODOq7n?KjK~qYMdA@frjp$eIZZQ{j8`*H z$Yw)S!v_4tm*NUBLOt24BPa5Nb|Tpz5fT~5=JVp}Gq%_>f3&qkJ;I&P8dAr;$@YX& zT|2(Yq=VIG&~o42{*jA0hNEomoSYgZ-rAAh&Za*)5M6TOC44(I`NQf)=uOd+S+(06 z5=4C{PKLMX^u2EgAi*EOY-6H5gCAvwcrm_MS7u{$cgIlqZaC#4 zePvOQHC!8XKxL9)a_$>{x~&c~y4}t$3izAzP|^|xuVTCEmsHK4 zN!j1*ZvgGA>){_rnXfNqY6;`b;ue(V8I1+q7517j-n7l=-GMDzqW!Y`S9J29Cyjm; z1>nS>8=M>SlxQdJU{3t1^dhdMK$#shhhCevFqeq7CuI6aJQ^-v#2>Nsoz_47b?y|e z-rXXq9=qgiS0lN8e>xAJ!c7A7lok0t*YXJk|A@g#e+Sws@6aC0Y|F{FXAcNTUgb?f zYHbEBC&LBm_yndmJwf7WoD`&gKJsJ7^_DyzE;z@rV6j;X}QM0k5;Jq z#=*%yzVJa+&7xJ3rbJNVU0TnlBuxV{UQ6*WN~!$=uU$#ZSwB@^0xhz7zizXlJNdq( z+eBumV|o4}>Gek&x^=W)<28zj>+mO?fDoe&MWBMe#In}}**q8%=)u5yXXhG%H+lwO z^<>1I$#m$7l$zn*KJff7<8J)W9Y2dbiaMYvE?mfCz)9~~%Yqi?cW_tD$~!7?<)Zz3 zfcjq^!u_8SWSp2}mjNFNYC9f0K~D^JKt}+Kj9iz6Q+(G-A2B)F2ly|KG&4(jQ)sal zzLm7!L&^sg%OmZ*>FJw!-rldJ(xu}$-C@BM9jpr4@MCHwjA`%Wv-(5OCwgD@v7*7pi7*A&qljohDlSg1< z0AkZBW`u`r9M|}%XnOzXady`Eyv|RLlJnYed46-S@o~e_kLAhx#^2pn#BM%LD?fF& zY~%9s;=r=qhr9{t1e2NTYOUjlfBF9L*Y3#G<#rHR!}#G_uBWZ(<0D;ppT&Y;A3aL{ z2VbAY#m+W->W<@V&!SGP*NB9i8P`DBN#%Xd-JvU_`T0lx;b>n@*k-3GdLPwiQ~>Jj;KK$haV3R#|npvxeNvz;Hlu%;>|(TV?8UpXc)mNzFOfta|hixk+koJkRKw9l)GLzF2ELI?2Djj+(wZq+H%T`c=m+JcK|9teu!V zEtD%AIYfe6Zg)FV8MkX;M_g|X{h#yE8d%be2v;b|s4N=~M{TY@_%!-)EaXJGkv-3& zTj*kJmJ)|NUw@RroYi}t?*aO@u9ok1&-W#+I#ZWdu8ZDs)j@XLG~^b3=b(Os?DmaR zWPa=;ZhWe}yY;#D`q)AqEth&eWFeY0&hRN}bbQO^`Ap(iA@r)klB=%N5>o4sR#;D# zZwbL=ALyw|=?gCvkIH$UhK`!h=@3^GW^~J(Pn(_R4ym>A6UtPp83Nphp38aa*!=T$ zoP34Sj0kt%wwYE(Yr%5(&l!zPi65Zr6G$9#grzRtw0tPm`=)eDSeJ>;InXm?x5~Z5 z>Zz((H1~K{_jI#S_3Wo!jw&l0=XmInJi3~?F^p?7wcR9Ck3d*dwDN0U*RN30*(KRt zB00tpQMMoDLN{}xQyee`n(nkR8%SS?i^wIUhbDwXi&&va_qUtly|Fcmmg)~OkCyKL zWNy*tW*?+1HB1=7jn1qT!i~zz8p4gq+$`0M%q*8{K~qnVxj7)zxVvqPf5%UgsuYdq z?dGbdj3aO>V!@F?7!|sfFtJyg4`+@|vof1>#+w#}>3V`e007w%QSnZ>(NYRGUu3Xx z{GF4`^n^X>=nUtQTkcp6W5tYj>f9m8Z&@gkcB{8KCy>RRz_J@cf?>V3B zXqyO;g>hyTswLiLupcOI@Spz+huZ#C*XdVOEc3aZ(vp&c{1Q2R`c-<~*A?=MX>mMP zGoUMBS>N5y7}BhU~=4rUHI^NOZt$cD3-+{QEM{n7`;v@3{ixzzRX z`*_dl6m~BnY3!ZAe9-DkgV*U(+eR?no>3g+Yx_YSS1yPtcnAGWQ74w7t)vE#~bprZr?UEyIbr+E&r=(&WK3Sb^a`dG5 zRBH+Z<}P&wWcdgd^|vJSbn!~x6}}5o$wrv<%0)d|zGN}VCtcm^;8ns;p&Y3a$nN$n%85BftU*fO3k1wIjBCLLqPLP!y5D zrm}V(_dvvmhO54XbJ%08ukt(r1oGn?4>0C{!`%ioQbla|n`PRaSK;sd5y1%1XeHI*pDm!Y_C3mxz?*y?jQ9j9(( zSIXo3DhG{7x%f}btD{<^Gv`>vGft`%Zl#D(9D9=l-TG4feIf=s*tVDcSa^IFAWLRh za{)Qi3ra&A$YEns`Z-1`Qx!Ti9Lb$jy`U@l-dO=ifm4bT>;PFDM3^I0OZqNzi=S9@ zFHQ|CSR;>7yjbY$7>CuthTF1v4$>uPxHeCu?^-h#eYwUdsjA(R+qETj*zR~$+|i3+ z0>~o)xe2+qp9JkkNH7qkhQtE6lOle?GC3KP`LHHl9Lk?oi)3p;~ zU<4yUeu}U?!BbFz&bga~(7{N-c?Kt-!xGX6)rcCPR&-vC84@ zeU*y_t!ntgix`GFD2@3#au~$mQd!(<%GDYLuha|Srw`r^CX!;qk_{G@4Ld7o8za^t z#2bs^a}?Z^MRdarr&4lz;Tzn%im&%?4s^E3R8E*=>hM2)#>2i#A__&OM*y5QdAc~c zPL1G$Pr(Ao%dVD8Z@p{fBYJppTXCvn$V}i$g|P;(%mSHcE=ritZnZ^cy}w69fpp0A zE7%Q@KM%`WC*@WlA>+gMMmV-x%9_sBl?rSLQHNro%3$ZJJ-+)4l7Jc@G*wi4(|?GF zg#80<=^F%8T%O;TfY}?gwE}QaS;#7^QehjUf3IF=s<|kkM8iEmT<^7vn8(DTi4VCl zLcWA$#~4ZkNl20bfq8e(&S=yG3W|ExGe!EKgjNc>9b4#8f?k_4f^{dVsGqNyrE_ay z3FL=iRNaPb1$Pk*OZ4Nh2I!pF1VsTkzfySoW+f);jQn#%XZ;YfR6wGzD4u+P(-2e- zwE`Ce1|iSF^g@1NQhR@rA!vb%g_p-JRjYrO1Y(C`55RgIwBw;mjDp%X8^ny9 z3}Tlw=>WNxS>aANnMt|7(D6?N`j-mGe=FbwV0D0ank}_MrIMlOF;J61$dZ}w>8bur z4d4$qa9$}E!v)|H@)#pahD$2zU22DRo3%J>j+jf)L;YV`M0PXf=0W|Tg)B5R3|C>C zMrgMZlMbGj6@w<;L~3WShHRkVzuYftngmjRu|ujYF90hL>Fg@_h1r2Q`tPuDSWxyx z2m@IFlwPi2U8+bVKNghy;7AxjXY5UU_+TWNcq?sU6fL|YK{lytFx(5!<{PYGtknRwxuSb`*(bU1uo_(YNaOYbNHwxV9) z{(7$1*sJFw!;qoMAO0syz)dmdx|b!nly>koI?l2Tqo{p=Alpcj+T#}*&&N=Pc}#_u z*wz;Q5$}~)ZoE>;_s#`u>oSLk=(`UY>6#K$u`km9hWRl1UK5qYC6&#P{hgj|thm8M z3}@6s$XN(CUP?$A22Ub=u6{sA8+}xK+iRM0#uuGe|E0G7?kzxxPA<|)>W2iExmPpi zq#x|E0w?umEe|ckLvJ1KJU-aPuWwgvRA`(sVtbF3;4hC}vcD95E7%tLPxjBkykvi3 zw#*+!jH91MD;5)c;RNJnzoplx_C$;pA9t{AGD%&Qz(wP-K(F_PMC!m`(O@aw5m+*@ z;pxBty2ZhYP+64nLC92>ZV^lLJUx2hRTX^!BBvk|zHB(x%urhT?aTQB-1&r8e#auU*ib|LQA- zf8u{Tg}m*>Db!tEw5o=1`(rvPWwl7#>k;OERMPnr42OuRY8c$~Nj_W>Zh!rcr;#xz zoHuC{Iy-Fjvt;ARq{;rMW89}4IzZ6tPa2VnO2N@6AXcJ<9E-9zdo`x4uVW7^bK@rB zn*F2Jf;Vr1J|Vtj^3N_>8LA++(-&b6hC_@KgrrHTT?%{~VC&A zc&{m(7o+XS`J-|Q&dv|&m>504hkMpGzFryuewD$gswSYn&yVOQ8q&TtCwmqZc2|av1-uu8{a@T3oJ^ z#?w!YjnoeZ!Fj2T8Y8TG@LM@I0nS(C86?q)(h{zpdm0WWF zxDpuIenR4cvEM#nlz304Z&3hkoR^&A(E?HVD~|<0dz^hXOGDbUvCroFrLBHq@(|*} z5stO_F~K90h$#+7bI!@m7yRtM@a=Kx*(`D|@YeMgxb_R&ric))3R8QkBA)4JYMbLP zy7_<5eAz5>pQnx2ny;o+Mbd7L?A`FbW_fV`{!$w~=Mf@f1Ee;VrtYn&iL8t<{87?B z{k~OAUS7=fkY|~bI++EXwMJl^K)&oZ6fA>=s1_8UoD1)!JPAg+MMB?en^j=jzW^VQ(HN14GkS*@1LoJ-pQ7kb!1eb zD|rDBTi&YhP0yNABw<(h4mp+DyMmSOE{NFaptu_%!1c_!%B zjuE)icyjF((H@e8*K$1W;pDcvXT@h?{TXm9+T*0Nm>UCb4Lu8D%Lm9=gwJ>sP3pfm zCE267VIohxHM&QSZXB%PB6>#bRVKi1-qlWPG8AB$f-wjj$R2>8AII zImntB0ly%&Z2+CcEZDoqKH3VjA5+ zEew3F?zU-qE!W~C&k$Zb<7?EG^K(^C$B6&IR=;4Q{$dIKU`OPMd2uRvB4u~l!1A(o zfFEO=;$MPox5vq66?$pL2etWB%9lHstOag+#9vIkBSW87Jz=&0;uI^@XJLlAp#-0X zR0)y=|4!Y4!Qv<8>Z~rQvhd8=Zt?nwvH7M``^mw_1eI!e1s?(}rn(@Bs)LdL@;Tif zpBD*g#tSDNi)ac@W78NJ&&}G{#;uFh=@^CyG-_o+%GYD%LwFw9XX{ zK!R4fh=%+WdC8HowL#jX2*RY=gR;&G56K54rs->>OsxMEsl?TRoUykL%nGlkc1Q_N zByG!3)}5S6eHq^sEA{q7V5S&tgS1W3!~L zXr@Dyh#F(pbZgu6;|xw2s=q|`qw^|te6dQ~qBta;qRsQf=7yU ziaw)4MMgAbUu#{L=m)R{?i4;>i66UFG`&@AmCLJ}FG#6l<=R%lCR}>I?ejqK-xt`e zQ;MaIy-av@*R4m{&Gm-NdjC=j}Nc5edi+v zenmqEq%6lSy}}ATVZ9`$S(DzxvWCXiCW~w#OfD@A`+$q4OXqBx(NlWR>X`|p^r?2J zqRvir?cr98*hloEXkmowI}PUqStL)f?J70`)@*y4i>>>-Y5CYGUV}*)3pS~7<=g?t z0A_xEyhy#JvdEYC5+wWjv9OA=O?IV{gUC!v;M9WMLXppKIHt^HXs;AW5qJK&Z9;{4 z98~fu$)30O_2jTU%tB+t5aKCCx?AdC5`ClE=g z>fpYw++-+Wuo=~K5fd;LWS6ZVzFn$)z?jc*obxU!FSJw9x^K=cXU}o-CJi#G-4l%5 zLd}IztpFAFtU5d@6LgnbwCT0Y+8zU{obL-Hyn_>h7~3Q~v7BtVx)CFeMG6XLZz1g? zhOJh#}x<)gM!zMc4m}qMB(bqKCkOLdbec&C_L{K z?Cl04UT-Xk#>59LhgA!>V8-{}L@SRgczs$Ac)%Pj2YH1UI(gJviyJHXAi(=zHlAFu zKG`Xsf*{r*cOF1|O~Vr!%G0}u_OF;ak9wcK=u}%zBisIlKRP0=WA@``Akuu$%OwFo zO7_#%6JIYDi8M+k)6h#tDDhkX0|3E(I46d>DN%w{a~CtR{hP!m{+;puc*U48J5ZKH zZO(fkKlG&}2~z3O^B#oRThhAgmqs2IiEuPKD$z^N!%V~GK6>-py+uInVv#x4exITF zZJ@C({(R~AfF|4?%i9J^Rv=xkL_f}PkG3x~mn*J;;dNfwUM`vn8TiiWB+tBK-vj=J!AtUDLeE75uKha1X2 znN&N>0U!b*M3dMT@K8`A!cb7?FHd&7>^NQByzMMqIlS!cejC_3ZVF;O`Af+VtOggZA4ur=U;cuN$Jx#{oVrN`+8+v6ThfsnE*D7W)z7)t9e{9`6P8LkPz~_Nk8W|>;=dy@ZXzk1Y=!4EVD1W9S}T}&Qe&7 z+WZC+LyTtXW#zDg3SCu!vHK{^=Am^rj7v;Gm-bYKY1wwIN&0oNsp?EJyDBD{! zjWqc6-YV;ZOT1mQm=BX^nbXzpG_y5yv7C!pXnli_#3H|&$SlI~{ShZ}vld1ZQ($NL zu!r#K-O#v5IM)L0hqXZ?6fI8AUupaR%*wBXSH6k*dnfO5*Oes&Q0u%%E@>g~bppC} zXQY`DK}%y4Z!J>@3KCg0lxzrxgykn^t-8zt?28YeoN!ri(Mrl2Lm9zNt6??@QFQF? z$z~=g5@Bw5F9Dgd`IMVTPkKxr$SDVJwu5HmHmZ=E;Fy_HIBYpUD9bS7xDG zSUh5gi`FDDB1dkm0^=+<7U_<4C1VnU?KmsQ>&Cv9`c8MN>Xs&wFH0?bCtT}Zt~%B| z&cQz9c-_v%%E{PpiVUb_P%@+JY^`1K)l?pR&?NX$d*JgbM)5Y(L{&AzI$?U6t-xM* zLrNF(rlEV+?Y6L`T}sp;Q2E!E)XWO=x^nMAHLR-h$2uf^6Kbeb-<5nw(+?Vgne+Fd z4Bw9^v8z%!zxia3bv=oB*;hA-@UoPd72Ab4BtzhtX5+kx06gF53Bw=wdPDPFsRGHq zM;p82ekaMkT4(i-{CgKbYnEaM%Wdg4YG$}Z!KCq`$;Z0VVzfi$gDk7_qq z8+PK5?)cG_ul(5OoM{$(;-e(A*y-N!P%Z!wNpzm$F_@bYZ?LYiQ*K`T+;!&H591q- z@-_iQZ*?raApr+nol)x7Ly7LKEEB37Q4X9JNo3b%VN}X^XGt#w($J9p;~SIDAUeZ3 zU;m^6u+R0(MI3k6xju&%6nB^UBYO?D+MgEq29B?68{F59F7IO1 z1&*ItEhw_%J&SSZsiRlwjuWwJaJ~5#(H^F2#$-dJP)v3_p?}kO6s_`#FMm}(6hN!B z;&U#Wv*rJ-zs7&q{&m)`>fQso)z88|FE_&~eV?go*)vFvk7dsa|LKb^Y7|_bCqwQo zYc6LkNaW?Y|NqOw{}mU>px=lu5B{mZ(c+|lo`K_51CGChksZ`X_4QPpiXqWh zw%H^dWB5GM7%e*&ziGrwViM=$<)d7KoxG;q&`}SKUI8lO>YtPFa4qS&#kzVD=P4?eH>>pR3_ay}8gc0;D9SwMPr%Xi1NylV> zZu>89b5B!s>~W4yO?ZwLW{@Zr)37)qMB2;BIJ1J4X3cWPl3MNk_OJBW-k!-bgl2HA zjL(02ib;MXou@>ujn8e`Z+cP*6So(~Y{q?SKeuzDw$yaiSjnPTuUWz4-@*A9Q+G4_ zRW#TGYkHG=@_-VjO2kx}_AMf5HTSLr5S&etJtoR!To8FNRdbAg_)6n7(Om1nlZF*2 z^PYI1;?uDYu3^)!-GQ%pa%DYM%x7Q^^FqI4VjjCumv+hoE>$p{y663uG&1E2is55h^{D+e)NlpH@0px>=&P6u(26x zF`mhmz@JP^ju`D(^>h~VS&vkE9X^fs6F+U68vv24HgXu| z4kM$midlN}Q|t>0vEJ_Si|Khl&IIqEtlLvjUCc6UE!)d44ZXNSrZd35-+UIekuvpg zM)braCq4eL=FR=FzW-C<&m|*CU#8`AZe121W$c@L&3l1KmXy+|BLPHnrni=utYo(l z_O!mXqUYLi(`q6zr%c$Xvp`Va^_u`?&v@h3d7aLxsNKn3%x00(2;-YR7;g+m_rSKB zK%?!F37!=er0I9Wv*+`$jI21@l0wb#;YKbpG8a;ENXNR?>LNH6@`~?nV%y?HFm5aG zO|1$Hc<>mp2V4}7J5=cXJ0dkfN`v{`8_Z7amVHXhV;{8EaW^umSk?Ye{$ttamIwC5sgqap6Q<+E(%9>F5!|%ft9?}ZN!Ew(d zBT|F|d6XG7c^G{0T42uzzWz|&>f2xoitRX-zWS?(OSs$Na3hTJGk6NllCxN^#QvKE z6_8&EycKN`da0~l*(ke`snMfSJW;dK^0cKv#P9bSLMPNrXG|dz5@(kA<|lkt+-z!t z6DHZ_16xKkijLAEyHdP7=MAX13A}S@GcpA>Vw{51k5G>*jlgaeSkoueQ%vlt)8+9- zZ5%aO#z0VhF(&@#Ael91s7*a_&-%O{I&HL7+gb$%2Lhkxy2YBYyd~>HiLlr1Ufq5M?wcOQ@i$MV@U+rd zsi=bv=uzXJ*`T%y%(UZPxpV{$mhQa*inpT#rVJ4bERLGe zNjH1;&qrmHRXFNbd1LKwytfuCtFmh5U%PY{gMQ)dA=+~wcwXZNLTT#srRP*3ywCkX z<l(okM9)1%msBT7>W1$P@K&1mornkYl7K65Dj>Gtwb+jr+){jW@zi;%v)p$l+6* zJ$vEwQ6b0y5|Z<=8^4tWyC-$0;duWHNa`4>I~s)!)Ij{SB1ljWqK1vc1t+suYe6Q|HT$a>eK(1d1G*5TROl^2g>&Eo?mb(WON4ZFeHZfD$26hI`@5(i zacEJe+$mh0PqHU&Y!pfRogR^cO1hm%hLp1LMARv|vh!N}R&mn?1fp!+TOVe(%B zWXq~}yohf(FzreG*fTj$(s@eTkC_}+vFz?YmHw&{ES{BdmCkTsi`#`lXTS5nsnLct zb{gWtf!@V_z0>-6soXMlxxSg}ePXI9XBE$voLi|j+sElHht6k#m-XTQ>Hruul?nxlEjm*$~gYDK1Xc%OMM(LG}T>ZS$Z%UH@ z*Braq$w@z4Lk>3>Q_CZ=Kz@91@a;pb&c$nkTC1JBcf=%BiWx`gkBf%8scfipF^S*! znyh@#ewW_fS;DIZT;41jgk|%FvI(bAegC$In}C~%=+&(nDy#V!P!QK&dlNa~*bF|U zX&fxeyBQOqE1`QMPV~#c!vb6wv^aI-D?-AwzF-y>3d2cAFJX)9M<{Mbl!j|rWOK5q zI^9&Xih?6lwic8f;b4LUwu1YOJ$A1qa2?@N5}8NG&NqP zYYZ|aQ#{4XC@ms=F1WNxsxVAbsqH!!E`~KR%->|k$X9EF?+qAx@-b8N6f}$sjVM1n0#F(x}J}c?OeM1 zdQjQD+UR7B+wwK?w9!ZZ;(ko$(ErfS&I2{F+K^Xk<*Osg{OCbvIIq_AylI?v?xIfh zllsZQ&BrN4u$8;t^-QQkxNRCm>-Iu5CdB;uO)F$Hy2>YMsDOMr-zsqj{u?dU2fBrVJtR zo_`z3vGUNrv&`L~WDF7)c505D&D;d{zoTN}y$8dEJa>D5Z`+=@R^)*LZk3#R$h3 zW${@=7b_B(?N?uagb>5$D+|1eZ<6|qlc>jD>=Ldm}GXp2#hlBac+(5yPryq4Z{d{Xjz=xRD*Rw_W z8zWezE26&LxpF;k9XVr)2m^mU{jarK?VJHWG|GQYwSWnX)S-Wa-y2bo{^yhg6cpx* zGW_SI0nRm|A^qQbz5i4Ca;^frYQ#?VpN-B?P(=S-40VPEW;Es?6nn7*0qy@5s)Fr| zS;4~`ST802es$4Dx~;Q_~s6M!{Mu)yAm z|J}5o2sl@X6ioDvgzWD)^>Vg{;KeTN|5SbXmMRL)c_#*ABmrK1Ckhkv8cb#?0plS9 yHZm0=`@aJEpNep@;2Ki~Fo_un4BQ*=Zv#>SkP From c83e76a75f9034bee1fb03ec7fc0c6e29dc91cb9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 09:20:25 -0800 Subject: [PATCH 283/304] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 34b3992bb5..5d79d2db3f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -1,5 +1,5 @@ --- -title: Prevent ransomware and threats from encrypting and changing files +title: Protect important folders from ransomware from encrypting your files with controlled folder access description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files. keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders search.product: eADQiWindows 10XVcnh @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 12/17/2020 +ms.date: 02/03/2021 ms.reviewer: v-maave manager: dansimp ms.custom: asr @@ -35,8 +35,8 @@ Controlled folder access helps protect your valuable data from malicious apps an Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -> [!NOTE] -> Controlled folder access blocks do not generate alerts in the [Alert queue](../microsoft-defender-atp/alerts-queue.md). However, they do provide valuable information that will appear in the [Device Timeline](../microsoft-defender-atp/investigate-machines.md), [Advanced Hunting](../microsoft-defender-atp/advanced-hunting-overview.md) or can be used when building [Custom Detections](../microsoft-defender-atp/custom-detection-rules.md). +> [!TIP] +> Controlled folder access blocks don't generate alerts in the [Alerts queue](../microsoft-defender-atp/alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](../microsoft-defender-atp/investigate-machines.md), while using [advanced hunting](../microsoft-defender-atp/advanced-hunting-overview.md), or with [custom detection rules](../microsoft-defender-atp/custom-detection-rules.md). ## How does controlled folder access work? @@ -46,7 +46,7 @@ Controlled folder access works with a list of trusted apps. If an app is include Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically. -Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. +Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. ## Why controlled folder access is important @@ -120,17 +120,11 @@ The following table shows events related to controlled folder access: You can use the Windows Security app to view the list of folders that are protected by controlled folder access. 1. On your Windows 10 device, open the Windows Security app. - 2. Select **Virus & threat protection**. - 3. Under **Ransomware protection**, select **Manage ransomware protection**. - 4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**. - 5. Do one of the following steps: - - To add a folder, select **+ Add a protected folder**. - - To remove a folder, select it, and then select **Remove**. > [!NOTE] From 9d86f926aa161d959dff7efdff5a67d091eb5e4a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 09:25:53 -0800 Subject: [PATCH 284/304] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...ially-unwanted-apps-microsoft-defender-antivirus.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 15e0a33178..f56820cf7f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 02/01/2021 +ms.date: 02/03/2021 ms.reviewer: manager: dansimp ms.technology: mde @@ -112,21 +112,13 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw #### Use Group Policy to configure PUA protection 1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - 2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). - 3. Select the Group Policy Object you want to configure, and then choose **Edit**. - 4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. - 5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. - 6. Double-click **Configure detection for potentially unwanted applications**. - 7. Select **Enabled** to enable PUA protection. - 8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**. - 9. Deploy your Group Policy object as you usually do. #### Use PowerShell cmdlets to configure PUA protection From f74183c3cbffbf27266ff6b666de53199f4dd8f8 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 3 Feb 2021 09:47:18 -0800 Subject: [PATCH 285/304] update --- .../downloads/mdatp-urls.xlsx | Bin 25191 -> 26000 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx index 136c11b15d47022e131bf797785eb4d226ef1590..b5683ec66f0cb1daf7e6e7c898378ba26a12bfdb 100644 GIT binary patch delta 15091 zcmZ8o1y~(Tvb|`~puyeU-Q8V-dkF3>LvVKw?(P-{?jGDVxCFOgkL2I?cJ~b*7nrH8 zu0H2fbu&G)-v<^u3RdIv4))7|37!)K2qc%_{SF&Y{KIop2QIi8!^Nw*HC@!e*dl^pg2e#|w<1o(HP z^GSKzYu^6A7@Sq4a`k7;DG6t5e*>+UPQB-c!Ci@=6mw#IWRUYSBx9oXK+{?Z{QUHb z2%Q%2jSb~vzN_GJO^9%1oq>fb1*zYwek(fL`IUioAi?df?f1!> z2MMLgDJs`_8kiuPGb!LQn~Q_^Or+)+FW?G@<J7J?q2n9TomVF?jX za?i0Mg0$6q^lXQY_?c}-hR{wlqGE-^owgeU>#TKPuEBD7#fJ#7;Ff2AOo!c9m_ysR z$Xm)xxj19-;O;Ej+zacl{h>Pgb|d3?aC#DH)c#iXF?Z!5u3jEM2wBfNMLVOZ{qi|T z2r+-b$POiQHj3M4J4sva{4-w5yCnl4auQQ$iM$G9UROlP`L&ln@^k5Z`uIWplCbjU zb+o7CPjP~od!)3o{d-W)+|G z`pJGf01%`-y3@mct0NzAlNLTq5p$^nhPyI7LPFG$>65KYp!cmsfiL~nnds!eu~%xg z>%~kPIG>igr+BQ( zZ9UDhU~~gh(I(S^6?U`~1TN|A@V?D2;(pUOGPC^^;*m_*!640l{PWdhTX+FkkU*a# z{mx&8J)yz-i{>PMIoh)5RcgT^&~=w+y&Z#Q4vF6GkDe?^GAI+@RsU3h^*}s4y~-GE z>H<1qocLO6(}1l`3mXP8{fY3naZwhj$CGjqbEB;rf5ZHf(n-VX;WmW(MhzT^FEP2`NBOe}f7T9qOEG}W$~ z673z0#j9)XqiU`JNT-#;L0;vZgF9~rL0J<##BK3btXOLlq~I-U0ir_)>5Jz`ve6Ty zbOkstd{=dk^c3#&t&16$d_x|KcL!~oUQSK76_#1<7KHBV-Gh*L05y3hllDc7E%X-k zd!yF1)vCm0o-WcIH2Bl31E(vs?u6zuaoaqhv1B)j_3x;o231kM(&x{qn`BW{ z3z;r5p_weqB);)MOv(#EKgKwWLfg$;SAwH>$otk=E}3CpQ)qs9?Ov)A-bAFHb#Y z3w8jnHxI|v)r1?b4}-71k5|1j*VikP0PwspxzhRUvds5<`*R_r_!;r(HaolX<$izn z@eIh0!#zJ9JllA=IE;A&yuDv-*6-}DCJ3{lo1+M`0AB$g@7Il($+L~;yPuD48(sH_ z*u}xjH<6m3tUU+z$J{L}t-S`)tWG=!bUw*V%E$RAKIAFA=ikj!iss)fQ&Qk3r%Fu8 zLj5p8Rv^DQHjjQ&9MW=T`=XIx*AYKFqkreT=j*=Qq#i_^%~FW_k?T^M>WbL`mGw1) zbN%HZ6=*p>t{4-!zbR5f@%0%_)Z>jkKUSeSv+vUKDaQrGB`Cv#gmQU9hjh# zrs*WQ>aB>f*(9#c66baX*A*Sdw#>tTIt8^CP?TDSDU+o4uO@Vlr(Le20{`12&1~be zPyN7Yeff}~%FH}#Ktj#qCryD@QEDru%$y#$QM;6Gae#mew$AkI8{MEfy!uj3M-y zFp;UuAst@IKE2Da86wISIPN&=BD5ft%vhmVp+un(zrnDT*4fj(F+B$oRXIvHaW@jX z(~Q_=^DJoYZuOxsIp$2N#G^n+f5<#Y6=*(%RgF7a%1^(-(b9~0l&MvADJLf5tp`ijWsG+D**ymi#=48zu+%Cg0H&Z{UMgM~4Xm+*U1(!)1(WuHv zuQmS6;WYw`u3_*IulPoq%r50>n2|RGMiqc?Y|Q_X^-Zh^D&JXrG+Hbo;nC>~{H~$gOqoE^uA6b*OC7DAoGv%=nimXO*qf z0`eb82IAb~GfSuer)4kr6%{V{rk(Lq<&JzWc*USejH+Ht=ClIFd&19?7{jnhCQB-} zbrZ>B%GTJ!r&n4HO;6y1P5sfosHT=kZ1>I0Xm}k0zf-#`Vqo_(E|xb2ZF}y1Y~ljv zJ)&wFi<|aovj4bOPwr%`11D)?DxcA8HnWSM;FgllE3jY$XqxtQQZ}Y zQOXWq)s^x__1*D$*bonZ`BG{qSC`bg5AL70qs3<@m7a^pm5RD~r!_N{tS*a`wmZ`4 z%s)cFx+Er;k&P-wGa)H>)z#3uW=Mwp!lB@$9Z_>NHo7R9Bi6x-BXH5qr3_$vn|ps#-1xh#HwWtxCOCYIX)so(zN^u$-V0 z5fP7M9qE?dq>_lbhUSP~2XQqiyV`-sdGZgIcooeQkv3QdIV}0R4VVazE82Lty1T>P zq$J7gRFGfe;Edi?J5Hw;5>y|}3+AvlyNpM(xszOT^jArQwbT@J;TsdDsB%{G56<+i-igw8D@(>hJ)RW8+aSV)0lBB;pyfpO4115-kvV)iYeYUyP}$i#yQNbSlC zwUX-mxwz_1{~10Oq8%BjlF-IbeLH!wH`QYw5?bRuL)csEoV0thOUp5%4XHAa3y%7B{#LG zM{jay0B?%c_$vom5V>}KwBvY%T#z=H3_i!m6r2!#{fEs>$aj=HT(EfkV{sZ?^HXr3 zL5>+)s2nl#B5N;NRU_6brrX`ADY&kWO=-t2{`tT^0!<^O530;B1V!5vt*HowO~_#v zB$l3&C+fg?f8x=G!zzChg6x<76+&T+OT(MWTi=|KAWG zAId`Cz#v94+0el|BQva+hxDZUzYxCExUeC2S;%vRU%zT|dpaS0 zMWWfiXilFM{1biBgZpouwm8?fHhb{R@QW!uQ;L`fGrvh*i=N&v_t|Rdjq`SBfM?Qh z8YdxB>*M-@mjM~=2tJN7|LA(au&;N;j%+`6ti4Nzl@xLq8Q(3Q21j4tb*Lc5LK9<_ zEfjRc^@R+T2}oA|hpv*ht|q1!-sl>!#eAbH5rOCVv&plmT~Sb>YXZ~rT=U^<<|-2V^;6N8!w%hK|PTCSdY*l3uT zw-l%9`BOdps3;=E?lVby0!+RdO1dW=$i*rOB$d{{K52lyZib#?m9u{#;d3A%h7C3D zkqX@4CgJ01f^`j)44Z&VBlu&8x3vT*894Z{5`abD3PXFFQqj>QNS-E8wz}VBwE^}f zLC6Of)ik)Tu_3i7t!A~N$|%vE{_GGyP|nyzu>=-Z)&JnB!VQ9 z$m2}mXR?R*ZvW^%G9gj$6>sxMk)2yb;D|1L`0zZu1W!XncRN2l8#gkhdpupRJXT^?264^Gqe; zj^p|Zvi}Az>R*uk|AM@kRQe-dvhaQNJRU58OFB6#@t4?tO7nm9&MFN2yLTUoA70Nc z)q`pO&uJwrBZ+UP#zfCiXu@3tLd=Mo{tnWGe|@Q7_zjfQRYNn$sLfS*09uLTTh4#W z^olWX_4TdTY9oYRj0ybB>p`!W-1UN$;ZrNhA8er*eVCS9xoT)=B2&gVc#a7q+D2(9 z-n@;v&f^P>&ut2*c*Aa8v4Ga}luwb$jVU!JkEFw!o9R_~r z{~ghGy%AX+Asz}o-c_qQH+<*P=#-~ta)g!{gS9C2bxm%;slTq$V5^rdeuffv;hzXE zuvt-?kz`hVF=!_hiGaolxk+QQYi()xdHc<*tlcPl_TMv7FDKa&@txfu1+QtPE(!&r zKO~>~JTalxoS8ak8869t+Ma2Uwc*z?D^-_#Pbw#i&lKf&O>9IM#7wlEuL*<{`6GUk zN2vk_@{WDkk&rr z^nFThH#Jsu<>fNT(N}Igy>vPaGt-nJYx9ou>AtT#xi0zow}Qv{kWmpP=8V;)pj!hY zwvuKDv!eyo zEw;js8LI`hPNcNizOS*dt@S&gnXnB7SY6<89oT8Z1u@+Hrcs zaVM8s*HAy3>t-OV-)atkik$q+6>oL6(+EW-)vTj*1;s$kD<#{kX8p@7g%&%BEXFm8 z%-}|MWO{aIBEjpGixN zaJWQrm-uaImDZ5gnyJjJRDO^Z?LzKzSvx`YTbLYSp5XX;Hihe-genn0RgTFDg_{mP zaupMgQgHe9Ns|k$d;&H}y*My@`m|O7Ht8?u%06Vd1pKfc3O>xqM$WAmmQ0l?bkgMk z_ULomN7IC9c}iXtqgECzBmpEAe)Ed+ce<$Tr5c_x|b9g|Gy3Z7k6gbjk@ zM8$u=o|C*hoJvr98`;`KammyM^`UE-m}0UXX;{P@Cc*;2>GetSzhXTQKvjy#@_UQ* zm#dI?l)l>%rV=21i3z8UdZ+;Vp{;R{mt5`dJRp7-7wCCSrWUK=+>AzJdEGjSDW!&b zSVcCwXBBlPu!pH;8RLd6Row^scR4oy%!aD`#$YI1eB~Q=<*wGhTv7o0ocMxYG}52c zVsX}B-~Q==`8&=3BE`Ph87?8ZX&pt9_>u^?6jz&?STVMJFQ*}EZM6!La`t=*Z%>av z_*caWeFIqWFTe*jVrEm^9~G`kg(GKpdh=-CY-LJHR>K*%|5+BGyg{7B_XpysmB5ia z+AUSzwu?vy>nZ$6CFSDw?@B`di*DWKB>_Bfm9(69yUnjIhM(w=elF(mX6585 z(6-9uYi|E5i+@WA@OxZROJyEh+epM>oE75H7FX)>=1I8i7H{}YNjZOsbGY_zUxts| zf&2%)+c-bZOGvd?&!t_YUw#c#ZKwjfm`@WWQ=<%kz5!|6NupA%ChZ@zfj`r(`0X3q zmt<;D4dhF*lLLWjKlBVrNO(Pe?DW3;I-( z^@wXvf*Oe0G(=s!fySjDoV4ty!}=0lLkw|Nl~=KPjwB8$5zcj;kp(ln9;crdq{zI; z59`X=cktE8hwX4I$f&(`)t3H6X#vKe86j*jqYPJJz8-1qN#V5riO1Cw)ZSpP-GlCS zMYLF}RiTu7Y*P%9U;h26RqxI32_-`+mP9z`PEqp*q>bmNi|5DcNdv&=`5piz*bsL> zaX(j>TGlg>yn+F?JxmDV28AQ=i9%z8=rqE2BGB& zv%wDD%;39EpUd32U(r+Auc{6@zgA~y+Rc-#M zp%L*>zx-npnqx*RyPdtL_adJNdtj4WiD`Y?`g9c~)v*omlGU!}8w$(28$y)+dfgpE zT0cNZ^=Om*07g-fNU%&gojvFPqd__N6(61H(PR})Azub74mUZOYsa+N!MAVh{QbO4P|(f zuhd?k5)2rupiu8aZ5!)H$zQ;LkEgaPObFgdT}Vtibw6XeVVS%bQ6ZsN5I%-b9OwfD zbdnSvGSdb&VfEfc3WKVH$GfMew^z=*_=7QbKwFIHR>a!P+2Q1kQp=f3ZQJTWicf8u zo^K|gc=n{}fHxWW)UD*{=d1J}vpbn@RbKnV7ro2vUj&m^$U#IY>;wt0>nP1^2$MUs zp%oD8j*D-YY)o3p}gk+D1MPj9q@fMh@FM{XFj$>9gn zZIRK1?k-f1WO&yKxAkjg%PB{)cyDTBKf9ky~>~e0ki`ZSdDwb$@sD5U1o^NMnl8v&qoirTRjq{E!;EGY56`gMQ#TW&xe28 zDpcHX@?(P#baD7WxC=x_Y z8V>u8u^r$&w~Q#V^dh9T=Y6480iMT`e_c~c9ZHmx!(2>uc7~LT1?TR113alVIpPn)1SR`PRq>)5xU_9 zDo**z=6vt)bEIhtLrPF%x_>@Ao2Oo!ycAeDf{qg{97lRXQ9l<@tJRMmR%ag@%7tC! zQH$B&3>~s^c?!NhS-7&f?$dx2V}G<{XskD@4rEja!DFUl;9MsTSiarxw@tI656wfG zW{=3H0!*|^g5L+0wg(xFs7Qar{>k@gtvgQNYAAUw=Ln=fNdk6#rT2Gp}<;`aB*FE>m0m?B?_Y zX9?(dpeyuR&!QBRI`9gFX{>$gaX>95W>&w4qbG=#%xA;hh@y(~+K=+}y!hUS6t@^G zfVwf*4WtC~Mb+J}am~ZOzWcL31^V;h9WVSofCyQecfVA!`7O-paC-ja4NO{3071?kF?X=8JvL16!sZu#G(z4kr;-Spw!U z>u*Mb-6(^@rSzR5l<14I67eqaB$b80!0n{YV@v+ff^!8(m1kFmTBV6X@qX0UPsjb9 zFIw@=U6}w6;S~bG3zxl1?Aw=dXnp7!6FiDLrimBM2y%jKOz&O;1fzQK3?xw?${Jps zFwO?W@ErOO8u^4d=2QNW8Efr0binAIZGw~Qw*D&8{|%5WN*Jz32tmA>We22zf>Jos z9#Q4#KUBafoEgYQ;_j(q9pJ_1?d z%dL0yO$-U|;8=0A$%tS;AWppmRStRJlWP`lZ}i3~ovOQdRS3Qp2@Pi*714@4#-hG_ zUo~U>x)M5H-U|Ghvo#ya-4NP_Jn(FG64xHqQGr4NE@$M0<{&?`rytK}5=FPx=D;x& zY>*snbqJ}ymb7D|TfoT2GsIHZL5D;pJJ>X2-qIY&m+-Om(WdPXJGyZSHp>J+OW^-1 zi%$3RrFXXwJFb@WY?x0ih4)k79#x5%E0s3kjTf8%A z2J9yW&V)Q^N5SC733~1Xnr{amW=_$He-@gcDKceL%2RCruuF|@C+sP=?YX7NW5dUd zK5PO1q6bb=i=oque0EXt)%}+-!m>@N&f@CTo`8)ZZbB(1Jz%x~{+&keBr){nyl1zb zW#ZPavDSjX)KbU{4yVXONdWTOErLGe>w{S*SXiB~qT{gPGmB@nu21!K;}ZnmU>`hO z{}D6IU>Oy%T%mr)H~c6Gw{(u#L}i1ZSGm4@UpH&UAMfcYwuQ{BB!1-dWW3w4hWQ2Z z&t<`SA3}Pgp$w=O34p_RH-&>T7WK+NECy$hS&jRH=Ha%_YKA>3P-WJPe$RW+ZJ;YW zDwiNfBD=5A@(pBuNfDY>zf-ty!}CR97HbaOzuY9598=6qcZVKG)f^l4Q04_;xLb8M ztTN#_!RYlFknY1kE8=BjkaC|a<-C(>exH-CSAuoA%?oHS@}<~`@-DJb>Irv%UwB?c z(T_cJgX*9|9*1DZSO`?UGTAlfl?UZ=kJwEVI;hUz*vmwS1aFmRADYyq_WsH`1qP0? z@KYA{C}?7j{3h6adXk?A9b}bBIxycU9KSn~>)fqrG5k zVttpiR|9EqDQ{8Dm~i+bdLo;EppfyTecW!w;eqAa;gYW%Iz>N|q466QAoPwwmLI;& zM@Il4Lb2v6(}2)^vLATgaA3jsZ1}Zh0g+ghnB1YKbRA8?>v-YI- zmyE~PaW@4ion&w@4#Um$W`Bz6viO|BUIv$=eZ${knWR+7Er37UQ=H-b8+l{3Rb=T5K%f+E> zU>6_Cr0CBtqBGHQ6e$#AEo$@219Kx$W0MI^vxss6Q+kJrDVakc`Ay@DDq4tNS-KLY z&pIg{1xBMwgl&Ur-dQ8hv}NJjsb=E#2M7SK*zNg3sPek1_pu7g5X78EQXReS;99y- zpegrUgs4`zxlp}U4(ikuYe}cU{Ats6d2I(G5s9s&!6ol3NmdgehrJJo`OLRA@kd zlStRLbi=GvJ9=u|ta-Yt$EYEdENKt5Y@P%HIVSSX()>q?I=?%4;T#W*p$duV;aby6 zVno^>#>-*%xQWfJ6iuB_4h%Jm-VyR8yoIH6#O3rzs539Aifp{r65v0F{PIm1yJ{E3 zreA( z|B{R_-OzOD7|-#nGW}qWxJ~Q$No#MD}B)@Ju1mr5NsgkoiMT6UR3M2eYmx z#NX<&-F1&dC;k`2uqFGr-q14u^Y}$b#;{1HFOfsAMVEv1{3PA!fb-MbqFWn2uzSD5 zKs9`Jt+|CX#rtw}4?pW6Q{elcxrGn7Jk4EbUUD1k1A52QmvBo%h5OgV*n<<@A&gC} zAeK9Mp<(DclbZWR+RPBf8IxYJ0|)@U`+>1F%et{1KJS|)|2Faj_#&F@?J=_o39 z5Yv)CuPo8`tLe6Ub{M9)hP(Az&LxI1J11gNKc08^j0o7slv0t*!SnRV??TabI+!tV z`kP8={r7?jediBuu7dyt`ubzLz)#JP8fpsT`=>bl9av89o)M*vhp7NB&aLVimkY6{ z{f8~v>ubK_yWq>-n&NemO3rD5EYI}c_vhDaxWhgV7aK$L3z(}8;|#mOUqjJv)>*eG ztQREb-@V8#a-fhh;(2Ruy*HFJBD{Hb=_McMRj;FUSPJ2@i2I)1wsBof^|vC#&6d_z z3zWsicsHZb_`GwSM(Xor{%(x&>8OBLRGT1q{{>blscr?St*HH(*MwT~4{%nbho=wl zAW#8ALZkp4aB9=mJ`dk3Z5JWC+@+v|r(`HB+dwZyq8?ZG^ZDiufqW^NYBau?Fq{pJ z8}I%8P1?i#pekN%p_EI>PH_VK*;63wVL4Ial_Dk5UAEVmVk(C&G@pu!H;)#)&*k9e zZbXbWZg9H_z@vqg;C*n{*on-%kR=n?XYh$8>RWd;aQMACLG4_KF_6h&wv$irwUY2k zDT~R#Y}%X0!_C2=hXwm(tdHu|F^n-Fh6m4^Eg(!PC6`g)c6`$$TVOX^ay9gu%);E6 z8x8xM-2#i08kPL3k+jTD5y5=|_rLiFyLr{z*DH@vca~Se76Ntn#Ya3-6^9sLnbU+@iabM;BYC z0ZQnI^ZE+&`4nLhgjml_F#N+PnV=pG`B>p-2!7M4kJMy12cC&cK8mGV1Q-;Feo>Cst=vqzn{2qRZd!(v)lzn zbjg=LJV0b}>eZ`&X~GkyA&EAo1pDGMY(NJ93v9 z@tm04)sC=uWh$#V0RyZp7MIH(J+WB_1Y^bhteAIPPYtA4G3d%S+OhZZu(7~_>*{g; zc+-0HPjram>BL-NRB-zRzk+BTp4ExkHRL#0LW-G8 z5j43Kt!~v*lVk{&4iAoK56^&tokLmpED2u!N`dqtPhXv6P5k*X>_|mFXFD`KPy0Lq zU`LAf1>*~4Py)EM+2yz`<&0%AL_j|jcI0_?F!UXF*;b_qve^PsRi8?M;wiy5+vaAm zOVX@mY%`xd)qLKzxNJRxsHM;RK|lw|+47XqMr>|}4U^iz*yZJ_6+R%yQYr3A>~IPt zM|)lrm)>JgX#5l6*!hbjZTNRI0!kELQ&lkonJ-IyCFoOmp5;%8Nk597iR~j-$=V;v zD8=Uw)S|s$>i8UquVb9K)#I*kbO=qbwzljm>a)$}uE-n$( z55ia0F+jsU_7s_%(t6E~3wv2XFPV_@yIz_b7m(hS{~F`96m|Pt$idF5*(tR}aRV3f zdjn=oWkVOIHNWHV*Y6@m$g}Nq={09bmwGRT7_R-gui7h4>v#^p#8=V@53fFMyBKy= zK`Wc0?M)TWF59tQnYIpYo5TAZ*HOVpL$Z>e-eAL(Cgf+{TO;Xj zyus9i&MqWgaIIefJUS4)h!9AcjTk^-m>SV82e42Ssma!;V?hZhg3V=Q&8-pHx&_of zIkuy2DA!eGaq%u6+8&7&>w{WVR43n2$!2$dc6n54PEr~XWRyQn+l;f=gIMhSa`bQu zHni(je8PPNcU}3A{;;@i-N$~VX-9PQ^Gcy(4|k_nzd!WFzL7*Z=ep99 zga1)}wt_^kPzynC7yl~nqOM*Z5*XN*wdR2#;rGaP${hFw^`K>VCWW{eW<#M{A{0Bf zNQX&dUp$i>Fp6kRH;#5gB7)zqjV(0(_%)oXoaheUZ_{I zazC7q70y1>p&Ifuje|#b{sR4~Qe6;(rss)0)bcKx8q_L1aj51+*z$1YjgnuXGJ&ciet#jr~x%vAk{%rVR;;LJo}X>||H4!<<4o~FHr@$!dL&uSqU zTuz|k{-`eBu+rCp@?JDps#5QxGNPzihr7n9^>utJnM>Pu$W0$F5!Iij3GsV2g5Vh~ z)m~EHa-F{{WGWpi$ay$+eudl(oDo*Fl&g8&SBo%*5?eN-Ss2A7IP~=_LJT>ML0$(Gy z4Kt*XDAWo$exE~_=Wh_!PbL;WQ5`19Ut$Q@t&odch=FWlaO@EVWTIz@V|B&*l<+xq z0s!ij%afzM==A)M;iHuu?TN3Ywmh#o$q~>ro|`-R_iSYr4Z~VojEHv%-K3RYW0r6{ z2$C=PAuR%wlJ_ny^r@REv5ur$PrO6w*4QzqKKFdAVT^A**`dQfJPs2=x}#Dz>@^&o z8WY{{6qa{6qWF;6iJ=|etXqMfsCNvVs{=4dI-2VA(L-HUl#22MJbcZ|$IlOTG?*v2 zH1kIAXiEZp1Ec~TyF zS&HJJ8K`K{Hs-j0^&wkc;Fgl*yGHz4YXS|~buYN+@EDSt9sw7!suNE$~jIJiK_yp z%pOTT5I)58BJgHLR-NH(=Aqcz`@9O%RO&r4Ke63k@b4&zb6tdY)XGXGFiDv1OTj3S zoED;xp*wF6$FM{xzfT`1ll+|ZFt-LsCy{Lj|A2eO=_Mc%J;crrugAa*Z|xg2w_8}O&&II5l8v`@}ujYiBZsJ}7{7vN-p zjONaHkg#fY(%(dqcX+=MV#gB^8KnD(MkLJgm^snRmrOv-Ort33%Ox$8IH3!mRrDyn zy{tHGKm5!tA!NY>pMbj?nD%R&>78URJRA2?FBzmbz7i$U_-JVFj=nv4;dE5MoxC^)qijt`oF_K@kD8Y|vk#Raj-FoOuYV*8! z#w{`R)O~g{J;oj5#_2@(dC3qKJnl5-IfnW(jE3)aVdAk4$j^hfO-fNK1H;rePDGm#U$RP|%wNLU!=1vIskfb9&Dh=S8Ln^1R zhW5kct$joB9k(aVD&V2GzwBRkYS|1%+&)aDcu!KxmLV%6I-Nu^1(ahQ@Fs9qG zmkC+yEa)j<(Tj{XL@AuyK!$jM;u$2azmj(=^SPP);qhQGP$at7WSvP5(89cl2r?mo zue22+4q_8ar}NGfXsXWn$cN}F9f(mi^rLND_AV?UMSGk3lg6BgwGqa!-GF_n!%c;% zM473a*^P=xnt|Ny){5e1SNVF*-D-%{OjUen_+6%k9EAnllZb~+%gMlD z@_0k;JSqMm_0!QnW8q`T+f=vTc(9SjV{1-sZ+ig$^-jav_=rKpWhq{D^6X$h6@6eI zR8wy82dp0m_^vZl9CMbk{(ZCK8;VW3l-S{G*Y^a3LzGo^`j1ua-N;e(xEhs^v_Jf3 z27Ymz4Bj?<|0GUk)_9cBkH~9i%6U47WOa_J+jZ9MfndsnF+3~*>)V?Z`hAD52kn-o zD!zx}aw(y!RCy@RZH*hac`bUx}0$7>Q7jmEz#jJ_?0DU?T;<^HA&|6cR+C_+KOn0E~B;AL3h8 z<99TmwbRmx&`#VgLtj{F zjf;xK%=V4?ntc;fx+5Yuc?}Gfp}SD0+qjT3G87_HM%zK3I){ea@ArHsr2E{eEPE*R zOM1#z0eO|Ta7Nbl75t5u`Z~oHD5w;YV9oJ*J9Sww06Hs_SmWyp@przeUid`J@U~!@ z`}fh|&qwcnI3t%C-@M#C#ql|xpRC}6N7jBxVc5iOX(k;`v{F3P z{tH(z7GTz32vc6y_ss<3*m!I`|12wa5p6;28C;O*Kq<#9xUe86$Tc(>jt;9ZR+&UJ zgK8qxh$NvHZi(i1@sD-|;!9N1&(kP9=;{or;9AmT+vG-6gVA|)=mSaLSehF0<2pq# zi$M;sU6Wwn;)&Gk)sW*!CuHp7F2J`C%%hE@G=TvLp(TdqT-%=~E4|O?eT-lFxTUPN zso0@tSV~w^HjK$~P8A?%6e6ozv_3!D*)E2eeO)Nxk$k6$WIIcW^D9OOel0xUEo$>n& zzs#?+x(H3-oE)Ri$=E`I)mRVA=N*GbDb{oWdMHkBY9B=k7Qn>i*~{aR1A07BeN6 zfNH97xI*Bl>K9^xVo&Vp$Sam^sa{$06=`W^d8>CwdwcoX7PJ01J0K!y`U?`o~`o;gZVb-?E|BqZLP;Y9V`e5 zTwm>74Scw8I*?E#CVE5g9NG9>ye;_n8^)MpSF-=yKB>3Tasr0}t~Gy&Cv2(Fi?T2n zTi6;K<{&WDG1aeu;dEC_4s{K64Kqco1d>7xZJUQ08iP-x$c+h2$8`sac*Qodif|L9 z!-fi914Qf8DO@lz{!m>yI&d3gA%i2^)HJxc`0u3k1S?t6%>tEP zL-AJUpb`H6b(aKdeOkP~4+ubkK&=@6|M~}tgnE4%ynk<&{(l1yUBY)-oCGxkliD1OmOiLiQgAmtaDy0LEX>9y0&w z*+e!WR~9z`%a9G+NAB%c@&s2sWW0aRO&}2If4BjG_T>NAL;ant5*+kC;QcA?v0xw& z#v3Fk|7CipkdST24_>33ux`i)KBt<1XCw$dtdXE+#Etj22)(sndE4^(??^Q@6Y7kF zz%_Idu8k=0{u2M@b@lC=^1r+f>%BQ5gZit71UO?Fa8><;6CGR(C0QuwKZY1@UypAz J00w{l`X4m;O11z1 delta 14298 zcmZ{LV{~Orw{`4vY}>YN+fF*}IO*`j_6a&2t7F@?I#$PK$HtfL=Y8&b#~tI_KhD^w zS~Y9UwPw{mwJUxM^q?QK+65Z618qpg7#swI3Frfj18^wgM)otZeh1&q3~Yhs5P;*d zFT5$XaakE6!;-It!^W8{D4hfdnNg8jx2?pq;!#j$UHV*44D{_a*{@nL1tTT7xeyp= zw@S7KCfDmt-4d1kf^oA)Zl-hU<7Hhm8p#2)Jzd9*A?{2mMGM%1{6uu=z|4!2ccHeK z+1?7g1r&fQ41A4(w0m5^_fmA^nF|hYWU(K+n!ub@+#nHu!AH>4s3)eO8%%LEh3=IJ zg8WHjvx0=CtCs=3X!^!~C)u+?NStLQHc$pO-_RIdxk#|{P!dqxG(6jg-zoSK4;dxk z2{uoq#lXOgr%k~Kvhpk84PB^KK6t&*_?ZX#06@}0NyVhTaM2z4Y-GMiRQ*DRUHis{ z8@Qm_fhuy<8NN@@y!olDCQfR_ zf5BaJY+<5IjBmpk(HL^8DWh|98{<5 zNlQF@5>;p>{WeI82;o6xo_Us|DiFN6q-deUWu8l6c|Jc!7uCS<)}$@0JaDSfaR{lgRPJrymcbGd2MRku>irxx^m-bgy7NV$9zda& zt<6n^Sy|6qGz|X>{b$Zqu4p>RSm-1DJ#2J!XmM;)0pfDx9`T%75HiWZa06xlhYKQI zkfBRontgDk8D2#CN*b2AHKup%$u4)?TU;&_7P#m1O;&un?f5|C&Nj|EqensHCCI%P z#sEZTk+~UDGy^nsE6*q*)&xCStby<1#muiuuq4W~RHBhl2z4WTn%t6dSWL38UQp|X zxZUr+3!zOK&`#5Tui3?(t8&1*FTA^65au}yr-faIu^~}zIB0TNW*K}g%Z_WYspyJv z*FtP5C1fqaHGG8vs%W7DC5=DTk-!Up!Ohe|4VI#VfDFU~V@Pp;UB-~WP{dDwAQo)t zym$?FU@@JB#{AjV3X5WOAWK7LU*mC`2XVXsjRtN7L^LSiU8oNM*p^S*(ZQ^FOe@xp z6i-E4>7rxLdUJN-%q*VeRz9jzLYI(hX)?Wb^V&8dl3u|O>_|wh&M6k+a*J&?2A})w z){TMoYu$n*3v|=xAbWd=F+FKOGB-jX1RW)vt15Q79{Y_KL(4bYPPIH|Diku=ePV## z@XDP{sW`vQ zvvN1C2VUtTq`AW}M@)rhCD^f{>K^?mk=RM@*>IU=g{*i-C|sLMM%hd=b8&D0__4@Y ziYuT`i~~KLy56xBS>iO!XvU)P_j0zk{W>&)9BA6Tbs(SH(pHieR-pjFF`(GXn6}Z_ z9?ndJ;;^d+6PxdL6(+EN#)s2queF0}yMvdyOXr%;Z8N^pVMwB1;GhTRl(r=UPEZ^B z=GAH+myHLPYGR<%+DOGzc9C|zQTDM*5^m@e&Bx8+&0JEUdd(&xdnf*qoQVxyN?>n~ z369oP3MY^ewK|d2Zc0)})?!oS#obQ3>obwxCT};iT}eRZV=eGw%79`PSrj=mN@wn0 zXYHt%Q;`xqWf05$xd|vq>|~nABU3vrBFC0^Kd1g8wao+q>_Nf-EI@7Fo=%4Q!1ggu zh7mhCuIn2L<(njsw&_;vXZIPD%%G z?oNb^-d|7d8~{X|NL{aA-yf>G0yf^BPhJnY7&qP@d_})>KgS7mzFuEXJp+8a-Z;;m zB=fo2gP#+vgrWli9S0C{d!@b-0-0Q zhIO1D^}jw;SCqkt2~x?jRXgrdsQob8Cjb0KVc-7hlGS_xI4K_&eYh=ENAc^R7_B6f zesCK}LgF^9LdB*)CPzkd{MtNkW!@DbUF(qb=B};mmsdrdP5t94Esr*vlXEmG|N5go zerA;{Mu|_}w^2)36+^Imh(HKaFzv_H?sIUz?aJXS>K~_Rd81jJ3$+gYJWl&McKyj$ z$z=$tcj7Dni>V~iHV8>r2-tpz>eD9hRfgw&g9HH;`DHeXMBgSftz0H++x)iXluS=t zJe9rVviS1|)8i}}2@lxl6Nz443Q9O{m&1$C+m&B|)IYe=^1OkKoa@8sAWCLr4q*Br z?K0@I>GCw|(#A=`@xt=mXW4r{8q=mG_ZuDcm|CU)i4kqv;(6Z`%_GmnS5~-5&J!)O zpm=&Th9ksTGKZ74ga3o=YesX0+?t~NFAOTw0asErSE`wXL0C`ked~BM{g4c4^w|h` z8pZ##;y)Czdc1zt-*4bVsv=LtD&awDZ=Zo&mcynLl(9*>`?o<^CsD9`z+YeSE6U@H z*bij3Z$onbzzNB33z%pi&};Em{ZX4tM_u>{2Q2nTdJA0+1_u^4Se&?lVbwEW<`;V? z&G|@9XVTXBE{9$`(TO&L8vZfDz17qho!u9^gnLH|T0KuRt>bD2>((|J^R;v&tWyp$ zEz!Y1brrQ=tARmiJzD^c`8n3h)x^NOw2I%5YJC(%PYlb6$Mh?SoLr6JIgW$Ox9W|e z-?SXR*HeQ-b2l(p->hIpL|ZV8rL-@yQsu>(MqzefO<_u15ORAu3{*T8I$|=K;-@!V zWd))(GQ>W_@HQ}@H$|{v_SaenEKAL)*rf&LKa&n7e2vd6CUF8Bd&93L^1wG1Ox&t; z=6k~{g-l^q_F=K46)-&z6;EM~;J^>nQv9~aWQfRLngOmB)mhm;LdM!h5v-}?)kyrB zoElYk--hwj_~<5Uq*1k&J^a9JZ;hQ3g!`YiNDH6swyMW1<+hg^&0|-Fak(AFevIK{ z>@!Mv_*C{)0*1qVMfO%O;EqGgS`zPT6;m<}EYv&>BYt~at%yd0zbKaH87f;|#!hW{ zQ;`eNscnUPQw=+RV0AE3ZfOir_1@BMEWd{)J*K9TQ%WJiHzCY;GB?pX<&Hz0;E;FM zOe#6;@7>lY6Kmuq6*!)gR4JxXBqrZ~WM3JVOXF<10gylUpq%y8_}26Z$j)`19;HmF znHX_z{2s=V>K^j3F{0kaigg34h{I3`Q_4|LI`0B5W}zxVu9AyUAs^ElELOL$$TEU` zG_yx4Tp}hJV7C9(o0g6F<9%egby|grn;Qjxpg2phn{wbYn{%L9mP$xIQ(nzSCBXu% zAH9-*!Xr*Cd9UJhKF~4CUPvU~}ht&RN>1l1B;4KL}!0u|N^W{S( zc6og~^`~C3qAk)}3@u&fU_U8BNU_uvA=NkmZb-UoChDJ&si!m2oNJ2ZEts&PWC=K3 zI`kYxGM`XoGhw$OL`jhcg0m|72B+OXhB$l9d2__g0#B!D)J)JGGC?_eE@wanOBHei zA)LTSP{K_`mEt~duzcW9zQ=y30h67h#NWNrPa72xJX1NYhCQk9hd-X9R9+3>4gkc% zh_mDt6;^LqUd|nY4snt+5n!G({DR{i_OMJUsfLYB0Xtrjb68ewPU*NZ^&uxmMh&2* zykSS?jD-T@Zh(dMQkeNdoFnc+`O_w*NYt00BG%^>BjY#$l;lsQX-6I2E{Ka045Vbe z^$bo6febYcoD+TEhp%YEe+91qd|KWBshjS%&0+yZj!N6cCQ|_E9@ki!>smLE% z)7TL(Kswr?ou+`vvQrKpppB|8LHIcYC^*)mGi%y|HK2#1!9)n7qj~AV=}F0f;;%xq z75bybz_L!zs^z8xs)i|O15!5wc^hB>H|t>kM$NwvjQ>Iq>7>n*4^fcrTe`;_;)BI5 z;|y4r`5y?xb_9qJjy7nqq_17*vFrMM`-2d0rTiGjCsuCav0mUs$0x|n6z25d4dL$X zU;KIP#wv>dj#O2zF_ia6!26HGxmi{jkCP z{6tDdmWzK$_1SUY-YznamRt(O_4g5{E(P_qR?OU9WSn$p4t(h#ot@)5U$=iA` z_gKxp+CcY58~(J=E9pe%ALCpP_Q8Vsx-F+HX~13NA09|wCQ-I}Y80x;`2R4r`Ny-H zFjJJ=08;)xsSBf&AuJ7%_w6UzmPafMQmlO-!InxMiwG3fN6dgpedX*y*<$%%R^scw zY5>#aBL4MH48X*F5PLOJ^no^D1I`!?ABE6to>DpZkIw#ymWT^JsbJ_2*@(TMp8iHW zoByXE8Grg__{9gOfB;hdfB6sI;34JbZiKz#1Nl>u$b|MoU}l)_R2MHl{S_DwkiT)Y z6zr>H{Gr2sYeOhYDwZ_WW-exd2&bd!hawTGVUrM!plazC zGH=LC-04^O+77~{MIDejU($^TG7@N^MM>jVTe#k9uXox*9sID3H_(oM?>6wKfj{$e zKbwYmA*f~J_mMH^we)lk?y6_UZE+<5Dr0n%ZWn78Ydy&{K7Gus7|lKjh`cKrK9^{J zdNM~irneBY`x28Nr(?lrE>EK#4XTQxhP)G<+aW3XXRw(H%?kH(6nAwTKhfNxfBDQL zb+V({aZMW1=<~12FQC{f&Q8Z>8`oL244bdU|ig;pEe+bW*0``mcEV4}9ty_$}{@ zCpa9q4!cIwT{h&c!^0pxJ%$aZH=F6)AJD`TI;c2_l9tA659IAezd&0e%+bm=8TeHS zRG-2{n5V|oFkyG4WD>feQT-V`YwscUf>4t_UbN?cJMmTn_%bDtk!&i-!U0=8p>V;G!zk1Wj#`@B_+kNQ#SXtDfKpji|39

B6vd56iv`kEYI*iv<^s z(wLn7iM~89C1C+CFj{H4(p69l4%~SQK@IN6;|wJox6vYM1EP~8rHH>H;k@_N(KJv= zL{~*1OuGX%6nA1isI$H(;Q`=YN^bBd(#fS>8t0B9^*@l$1wd~PVLu=ret}k>vvMo4 zh{ja5#>tP@_K+?9ChXg;CQ9*FU|s(JRuYA@mhj-q&66zSTT^WamTjdgh#78mz^)Wr zKRROg7p=FFxPTYw2in$E6bugCwY@R~0B%GTo2JPyhvrTxb~OqAboM6t(}t~lffCP4w@ zbWHGIzu6>?(m|D*#SaU>D8QIL36_=Om95VkyUiCh zold4|Bn|Mmtrj<5&5Yk^~4v&I!OTO z@)0cUU1^-#2+luLEqj9wohP|5GW6&P(eh3TVxsm8u3Yv5cBG7PN|z&a)M@tEq)D355&)?Z<-jwdO_%RrdOb zDJ)r6*}V?Mh$R3oq&}w=HTY;XYDM@;&c6yb!h9-!qE>EK_c$q4|KoMDAJ^LAcSI2t zMON+UpN9pI%gMNW%a)6u`)cWurSHbmEK-LX5IDyec>=g=Bz2d)XO3iKis;)UNtfBI zMcfNRUl_M_(qmqdHp)J3U0c))}8(tk8I@%k~^p}vXUG}Yi-FB1%R05O6f%o zGm|Ikj{{|OoCFI7bP~Nm^_fBu(c4YGt0oscOk>935C#y|e*cttL+bMLd4GG`J9%DI zdWQxMkaR*S?LK*1)PRDmB96RhTzTe(MvOls!!H~beh)gA z;%;ZS{1SH5Z_LBbAC|2!><$*T!*~&m9gE1cSN2hadTS{8bBxkYeV=d=jeL$k)kh~1 zy;q2dy)f)6S|NzSm*%Akzrg(~F@zF6bu#L`p@A>AXzZy(rqUZoA5S&ig+yE)NkRjk zx?p4) zA+YQ&(zX&Nc%{sk&eQ$c^Mt7@edlPtVA%wf{pm9&d z^IgJfTisiHyuX=z#~8XCA0?tMgg-<|u2O&FZ|xu&o7&ON%D0Ln)wLnREwG9OSDaq|;iYog__ zSTx}dOoC>LlnEWykx_sCVCF-Z6s6~^nH&p~__snxLE9ZQvgN88({iW>Sbq)UM5eo#%sm_94h66KdO`Vdf>B zP2F>XyL{Aq$Ty%xM2;(=(*dk=F(I&Y9e+jCv_TUpTyf^ntd+U z$mIwWPm9IJSnElb7fUwX!*BeVIcUj!$ebjmW4U6BYMOjm=cwb3mu-^UXZ*?HbsXt? zsPbM+cF4rlBerweprd<2iD~hXE7uThjAi-g02cTPgTC*KM9l|6TZ=0-Gs&>4S;a_= z6(r4%D>+FaLV2tuPE)`kI|FCA^fVgntXXd9RB)u_R%+3K^fjkK(Uvo>eosyhzFs?X zbVHuQT;l9KkHDw;I2?3FPS@!vY|TB^VCa3`$re*t4uoFX9q7vBG33we9mGo!VsHpXm8d+6YyF7x*?t2sUKAm{Y^a4Se~LOU zXOp;&ROn*fq+m${atEcp+^T?!y&3j&y&YAHfc1()tQAF z4-A%{@t4l~-4jRyHD!@hD2$;(A145(mp5<47|TI!GxZcPec`B9AtmN*G)GfJWybOm z*XhUp6`&a;ZOl0CA8feB-7vp$ zkXsKVQjY@C_G=5Ndi&RVncWy5>0_3xtzKbGMV#WE49NIAepoxfE4s9;xdkw{iuLQ# z9vMMVQ|QWPaaPp$R8;>q%Wx8j#jJw(eWU;R!B0a*&LoDd0V!cz@q5)OlXg#YbA07< z7c83Pc(36d-b1LYAQcUvf%XU<{VO?rSNGFiEie;MF8jna1)OJ%j3S=E8YA|W*Az*Z ztlMPK9na^MnKk8qld_zZ-TriMfCBF(L$p2OBff0MJ3hq(3w=LH^~zltvwRmoMUO_( z696`i1hr*#R}E4q+bXLZ^UNmfO_Xrj>+?JNvCJg6OHWl~!edk@y^kwCeQ?Kfq}K?f8uYX5^c4oV8fH|m> zL`Ae;lY0RG0Ree`|NCQ?pz^7g7$LMu)C+`*mopO-H3rGhOb7EIXc8e~u}PzjWj7%B zrG7(7q^V2!ZnIHeD~2#Ohc3z0jLD#|mrZsfSUP-21& zR10ES4SE5Or|#jGzv+W{vS_*Gq?G#$=CBuqnzha)6R>4Pog)11=*5xGV-eoS_6~Rks{W_^xzg1NFHX03o)ZhRKZXvi)A>TUR=1=HA3B zOYBIz967v@h_fu%M1lI=P)vdEFSQ%~lFPwjo1IZ?Wgi zG|*vw=rV2mij~agQ^2zsEw1VX{MdHs;%mgR3d2Nm%Bkfbvr@L01b60y@Bryi#z6?{ zOYkZy2GFt*fkJd@OMobzGHQUNIe17;tz7T0Ni_MeTWPuXvb@4?7O$rDpTRgOv;P;!rOciVU-KHuFK5efiQ$B zigmd-%oEsy22FJ!{mGm25Ok&j{4g9IBi|sy3~<})!h^R$@`L9H?g^uKF`cckdKVge z7#Hk3pO|^fQ`)|_eJ!*SGhm;(t0igBK*6?~rUDKpw#qLz?#T30mv`ekPL;R2zF~H{ zm2fFI@8S(C{iD!!imCVu^`}5l@U(p_+>X}>f^RTV~2_~2|?jtBq<(O7eanf zE5L7|E8_UBZdL0bcI<3^>7QJ9F7MX16A64~2YhxM3$k3|TdUwvhJE+~>eF}+OuZP)o6bQt#D@hGd^|FpIa}4yj{>1=U z17N0o^0jAmA`(#y5AKXqBDD}4GXU$izoBgkJqV^f20*~WQP4cyZepY4UKu+~kGalr zY#_V*P7EO*<_B}Ek*CLzg(#-rw2Zw|z6NSdHC810`ryJUk(H|wQb;4|Hxek0ZBRqA zF!;Ra_~s-?j-c&#k&rNHeTz?s?-@_H%XN}r>Lzx<~_?$l(!i+vzYXf*rX^W=+ zw)H?dJr_(1+P-f+t{qt=tSu*!11m4BBY9O{Lw`onMe~z(KH>pyE~b^Tu?rGUdUMSu zN`d;YfM<+^Zsike=i4_W_A?tv_lyKkDIIlxvzn;g2+DYfN=S#$XvB=ub%-PvUO(UN7s$T0ycc`#k`ebmdD&tuy=;#&SIl8R zKJh^KSYJXjToxb_^Yde31a41M;VrOy^>yy7)9^gAT=webDuv`z&y@wpzmT#H(&92MC3&8tdxrr2VY>lctyExaJh9(<+xXxd)g;1Q7S0j z(+=2wuDA`6$!Qu}&%{2NM8~IXy*dk9L1*oc0gd81JRpTUSq^$dh(?kTCfnG2PE@pt z?TVMzJif_%!^sWku2}|f*STWPj%b+?^}Ams@8~t=EOgWvg>+q<@0J0Xm=9?9ZpVb0 z{#;Zkb|y|ewmzKbDkW$QOEL-+2`TKkfeQM-&D#^Z7}WqziTOaIHY{f(9!!_{GI&A9 zTnJ>Tj4P0tr4yP27InEDerBe0Tv{(DbI(GlYG+a#7E*J50buBLupuU@{IbB3cQSBN zY+?0zT+1@(Y-;s!peSjZ-K8zwQqpN1`dud95qbUaV>Ev?a;C~!zFm~`ZPs2~$0N7PZ)7_AuDcV}lQ|iZt|}JLBZ&bqHtBH*>BK)K5T)jDGdBJ01pCU%>Yyuq6e(5e)g`w3I(oXrWOQb z=5Xh92c}r*g^QPxS`0m({Kk>JilSakTt$+=4Z;5ucKtN&^KwlQyQE*ht9~^*65`?4 z8+@aIJbF|FEE<~1EJOQ&mig*%Nz%-)&W9zAjyQv-Bmki!*$-L+%`TzhIrXl!VPchB_O+rd`#lHOC?wu3 z!7tF99G}prIwlZLb*+RD(ZF$PX!qV>I21ftU6vj&M}@^1*xR@*4J5UYY1;U^9`a># z^zRABD%+zB0EQ~uU8a3<<&YI)^Y4CDU)py3ZfEVO>#(H4X=6j!SC)yMN@i?K9Umir zox+%aFIV{Pmkr+g$jBwIRJn0n7Gf+~4@ff4oO6Qz9z8X!akQvJJ&Syan8ah!De;d=iysfmT^XBJkjmF%rYgKRGuuScD<_W#_SYbHbhMbb(9ii;|K9ZPY4f@N!2t3 zI7*>j_1yQ|?q=l3Qk}|Ln9Vfpe2pmOUbwWph^=lhKip zg1;|VK5BZN#-l#5=cb}qh)7(y)a_FRj$|}y)4dyq$}c8m4@$ z4z}%J4d>GE%<_aUxi^4#!XCX%r^X2Z)M}nxhoCU3Q6VuP97UXW`{44sIK}lT@%dj$ zqi9q?MpR{jM11M%Fx1a{?@H`@hD4{=u2;7zags`!NRlXg6ZnI@+ZIy!1BO|T?;HGe6 z(vLW)0z2X`b!Kw;3MV$`n0Z}qe&0*4{xq%#y?9^Hm7iF|g!mQL4yN(RiuB|`LC3IO zyNr@q5OgL}!}X{;!s{iCtl~imA`4v+t~zBzt1VOBwhJGdo^jYXSc#Lpc}fM*fgy;x z&C{78h1A#PZrH7@gC~*ba%P+waKe_2yS5zta=Py|3^m5`a?Rnnm=gMghjZK}5DJ%> zW|ZX}vm^DRVVIG;QXt40a-Cb%?4eA(+{ZYR@xn?Z!J~hNyf@A+`cRIB84o9!R9D?0 zIlC5lgMPuhcJ*nP9Nr#%s^3Nw|($?*Z?S@SCrWM*A373D9 zEoP-Y=~P9AIFt7m`}pPS5KSGtpkQB<*_yj#fs-Yp!x`b>56|+y}Lpx~ndJ zeA^itvD^o1CQWm2dkeKEsbSpuult0wvswJ=? z1(iVOGqUE_h`+c8)x9`pqHd_vR%UVYtsGSzix(M!w5qC2K~u{$8P~V^7O%=u?;Xg^ zdQpBgzqYc08*n}(XkWusxc z(9=v+kr}XY;WFBip-=j~gmPe-*rorGquY8~ei?QL)yuHsy+;6Klt7J|^K9@CUTvkJ zCZ&(jOf=KwMD4}a##Y)Yt?q%TnM4&Z{9r76_l z^Tns1kRQi;JH&HOPmM$9I_L%BiP|Q{2m^$bb4Sq@!DabaF`?N@Blyd{vUQtC&leBD z(UqDM%m11zWe8PNO=YM|O_gqTP+D5-(cTO7e24M-s0u)elf6;Ia*(dEPmFx(jGc3L80Y+m%$j zS2JkXT%^a!lxNQ$>9}xGpS?^3I_lz{2L(#$o(p}p-}TfUy+>|D5Y_oUG$d8{YhS-u z>ZtveV6<~qIj0uJtfy1j#sgUAT2LhgHZhm49&j7PBc+9ixQpY~R8pZzSy+yuKF+ z&blo%Th~5*9RKu`@YRd6d3nfnePrYWJAshmd%G@;Y_8X1k|9)asC`?r;W$CR&Yl^7 zq|cUoxq+|5lx>4Sv`)|OQ;OO+B{OgOO($Sd?_FY_i%#=A^%vulMl4~1J5upw2ceOb z%+mS#H^1%+=r7fMT&YtRSuuo+>kIvueAF6v?x*bYJ%_b^36XIxN6dYSQbFm^&>~BE zFKwOg#L0t|uh@Qf50?bH$`ag{k)1ViQb6V@GiY9zWsCL$cju$7^ED1NoaNlvS+veB6Q@x$M?cW@EjNN zp&=AZql3mUyE7*WPa7%ndBFyA{xE?@;F=EB8Y+$KVW0V|6+ zG$c-k1xsZL;tl+g2u~n6loxD!E;kNN%mFvf7*w0aERD1ubT$ele?$+N!7}i*-Fnw?^pkz?xgG%FzJeg@7Co;RI7pEv5)ktWvax=n7U z5U|vy-@UdWeuZV+Y}(|9V#SWyHP46WvWOEmbSB(F@y5`SF+qFW6s@A}sXj350j`i$ zg*0yqB+f*l6CuiVan~-Z_L&|b<)$OBJDyfc$t7r&MP}Cr=f*j30_4ZjYPno*tcyH< zxi}!E>CZ7u)AyQSYl^YOB%4VlNGs4NNl}LLWaSYNoMyTlleOcb$IG(Tmbe+HOTZF<2Xx97ZAn#H1VD#Fgxd3QgSr zhDy=hXucb`QKZ|_ELg@?L7lmVM>_uQZ6~6)YE_Xtl0KK2Hc>?Wg;#hj_vIbz4-a*n zDn*cxP-1=aQ*}04a-e{f0vUvwl^dk3JtqRgoOb139O^wDj_Rjc9{xXqlrhTgyAI-Z zbAv25&XKKx#U_f1C_6ez+*z8v(0o(nFY*P>;lh%C4x5Uiq%P!)tAt_y2tkp*Vs#Ok zSw5>Nv0FO*-l&9WvM4!>2H79r)9xfo=slLTppI?B&>IZj&ocm^&W9A!PNtY7sME$W zyCd|yM;ORzraZ=a2oMPa>tLg&fMlo_t5-Mfp$>^g#n~2j8bm-#cY{kv zB^Cq5BL66MPD34*B}HL^72|P7PcCGx98az(B#3z-Xyt|smjm(pG@J~P8<-y$kME=z z7!{2LW6AA;Al3?C14U z*rgs}m{;rqcR;)IEfvNE7M;Wy!jpnJHBfH2j8ymI1E*tvJC5N~@TPeRLI<>%C`-T= ze>$%yqln3-Vg*Tq^QdYl_asAo=sxvMC|N2_np_GWgW~J`Cynkotyx&A2UPfNo*MRi zoSI7iPVm%rbp&fwIPn-0c~hWVv=BCahe;;CGDwgduc1iVh%A+Uk&)bjxZd2B<`u;#~AQ z3;~5+-?j5QwBCUb(DdW+fa(_2Bqwt=Se@V_(VR>&QL8VRJE4)Y%&R}yJ7ZoUoVBs* z>gE@_7)NP|N7zl8`$KMLUj;Y^VKS>y#0nP7l5Qvg{gae>Mv$oT(V z=lZ`jbLjq>PcUHuYi9)Znov;vcijO51o6K(KF;_!K|sFRF}b*U+F7^&LCw+e|NGYl z2*}5do&R;X3IYX9g~4oPfzzgVAEL<)79#g?%7On!Hse7-KrlZ#g7UvAfPkFK16|An zkQ Date: Wed, 3 Feb 2021 20:18:20 +0200 Subject: [PATCH 286/304] Update gov.md Streaming API & Azure Sentinel are now available for GCC. --- .../security/threat-protection/microsoft-defender-atp/gov.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 3ec12f3876..972dc7f639 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -123,12 +123,12 @@ Email notifications | ![No](../images/svg/check-no.svg) Rolling out | ![No](../i Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Management and APIs: Streaming API | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Web content filtering | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development -Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Integrations: Azure Sentinel | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog From 1be537b367ca4c82a3954837ea5863b2f1340388 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 12:22:42 -0800 Subject: [PATCH 287/304] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 6bc883ca30..0835bbe05e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -135,7 +135,7 @@ You can review the Windows event log to view events generated by attack surface You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: |Event ID | Description | -|---|---| +|:---|:---| |5007 | Event when settings are changed | |1121 | Event when rule fires in Block-mode | |1122 | Event when rule fires in Audit-mode | From 2cf9637f14c669ff72412518643b5cceb5edbcb1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 12:24:44 -0800 Subject: [PATCH 288/304] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 7ded77ec21..8602493f71 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -99,13 +99,9 @@ DeviceEvents You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. - 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - 3. On the left panel, under **Actions**, select **Import custom view...**. - 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md). - 5. Select **OK**. The following table shows events related to controlled folder access: From 7bf688acee9507e9c1222636ed3094c17f7119ea Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 13:04:04 -0800 Subject: [PATCH 289/304] Update best-practices-attack-surface-reduction-rules.md --- ...ractices-attack-surface-reduction-rules.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index ea1d8dbfb2..94438fbcf3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -27,17 +27,17 @@ ms.collection: - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - +Attack surface reduction rules help reduce vulnerabilities by targeting certain software behaviors. These behaviors include: -The instructions to deploy attack surface reduction (ASR) rules in the most optimal way are available in [Demystifying attack surface reduction rules - Part 2](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565). +- Launching executable files and scripts that attempt to download or run files; +- Running obfuscated or otherwise suspicious scripts; and +- Performing behaviors that apps don't usually initiate during normal day-to-day work. -It is highly recommended to test the ASR rules on a sample-like smaller set of devices. For information on the reasons for this recommendation and on how to deploy the ASR rules on a smaller set of devices, see **Use a phased approach** section, below, in this article. +This article includes tips, best practices, and important considerations regarding attack surface reduction rules. - > [!NOTE] -> Whether you're about to enable or have already deployed ASR rules for your organization, see the information in this article. By using the tips and best practices in this article, you can employ attack surface reduction rules successfully and avoid potential issues. -**Results of applying ASR rules** + +## Results of applying ASR rules - The process of applying ASR rules on devices provides scope to query for reports. These queries can be implemented in the form of templates. @@ -49,7 +49,7 @@ It is highly recommended to test the ASR rules on a sample-like smaller set of d -**Applicable to rules' states** +## Applicable to rule states This section describes the best practices with regard to the states which any ASR rule can be set to, irrespective of the method used to configure or deploy the ASR rule. @@ -59,7 +59,7 @@ Prior to describing the best pratices for the ASR rules' states, it is important - **Block**: This is the state in which the ASR rule is enabled. YThe code for this state is 1. - **Audit**: This is the state in which the ASR rule is evaluated about its impactive behavior toward the organization or environment in which it is deployed. -**Recommendation** +## Recommendation The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best pratice are: @@ -77,7 +77,7 @@ Before you roll out attack surface reduction rules in your organization, select The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are: - **Better prospects for display of ASR rules impact** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent. -- **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of **applicable-not applicable** devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set. +- **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set. > [!IMPORTANT] > You can implement the process of applying ASR rules to a smaller device set by utilizing dynamic membership rules. From 94c9bd9c9b3b8221838388477ef1555b9ac5e6cc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 13:40:53 -0800 Subject: [PATCH 290/304] Update best-practices-attack-surface-reduction-rules.md --- ...ractices-attack-surface-reduction-rules.md | 32 +++++++------------ 1 file changed, 11 insertions(+), 21 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index 94438fbcf3..b4bf06284a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -76,7 +76,7 @@ Before you roll out attack surface reduction rules in your organization, select The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are: -- **Better prospects for display of ASR rules impact** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent. +- **Better prospects for seeing the impact of attack surface reduction rules** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent. - **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set. > [!IMPORTANT] @@ -139,29 +139,19 @@ Reports relating to ASR rule events can be generated for the preceding-6-months ## Avoid policy conflicts -If a conflicting policy has emerged as a result of a policy being applied from Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM takes precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules). +If a conflicting policy has emerged as a result of a policy being applied from Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM takes precedence. For more information, see [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules). -Attack surface reduction (ASR) rules for MEM-managed devices now support a new behavior for merger of settings from different policies, to create a superset of policies for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either of the profiles would be deployed. ASR rule merge behavior is as follows: +You can now create a superset of policies for attack surface reduction rules that apply to [MEM-managed devices](/mem/intune/enrollment/device-management-capabilities). When you do this, only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either of the profiles would be deployed. Attack surface reduction rule merge behavior works like this: -Attack surface reduction (ASR) rules for MEM (Microsoft Endpoint Manager)-managed devices support a new behavior in terms of merger of the settings of policies. This behavior is described below: - -- If two or more policies have multiple settings configured in each of them, the settings without a conflict are merged into the superset of the policies they are mapped to. -- If two or more policies encounter a conflict over a single setting from the various settings they are configured with, only that single setting with a conflict is held back from being merged into the superset of the policies. -- The bundle of settings as a whole are not held back from being merged into the superset because of the single conflict-affected setting. -- The policy as a whole is not flagged as **being in conflict** because of one of its settings being conflict affected. - - -- ASR rules from the following profiles are evaluated for each device the rules apply to: - - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction). - - Endpoint security > Attack surface reduction policy > Attack surface reduction rules. - - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Profiles > Profile Name > Properties > Configuration settings > Attack Surface Reduction Rules - -- Settings that do not have conflicts are added to a superset of policy for the device. - -- When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device. - -- Only the configurations for conflicting settings are held back. +| Situation | What happens | +|:---|:---| +| Two or more policies have multiple settings configured | The settings that do not conflict are merged into the superset of the policies they are mapped to. | +| Two or more policies have a conflict with a single setting | Only the single setting with a conflict is held back from being merged into the superset of the policies.

The bundle of settings as a whole is not held back from being merged into the superset because of a single conflict-affected setting.

The policy as a whole is not flagged as **being in conflict**. | +The policy superset can include settings from the following profiles: +- Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction. +- Endpoint security > Attack surface reduction policy > Attack surface reduction rules. +- Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Profiles > Profile Name > Properties > Configuration settings > Attack Surface Reduction Rules ## See the demystifying blogs From 89d32f80d3b5400d5a8147d441422d198b58c7f1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 13:41:22 -0800 Subject: [PATCH 291/304] Update best-practices-attack-surface-reduction-rules.md --- .../best-practices-attack-surface-reduction-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index b4bf06284a..fa2799337d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -77,7 +77,7 @@ Before you roll out attack surface reduction rules in your organization, select The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are: - **Better prospects for seeing the impact of attack surface reduction rules** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent. -- **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set. +- **Ease in determining exclusions for attack surface reduction rules** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set. > [!IMPORTANT] > You can implement the process of applying ASR rules to a smaller device set by utilizing dynamic membership rules. From 368ea48c52303fe0de9e20010fb96fc97dfbc009 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 13:50:55 -0800 Subject: [PATCH 292/304] Update best-practices-attack-surface-reduction-rules.md --- .../best-practices-attack-surface-reduction-rules.md | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md index fa2799337d..a4d1e2ca6c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md @@ -61,7 +61,7 @@ Prior to describing the best pratices for the ASR rules' states, it is important ## Recommendation -The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best pratice are: +The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best practice are: 1. **Access to logs and reviews**: When an ASR rule is set to **audit** mode, you can get access to the logs and reviews pertaining to it. These logs and reviews are data that helps you to analyze the impact of the ASR rule. 2. **Rule-related decision**: The analysis findings guided by the logs and reviews help you take a decision whether to deploy or exclude the ASR rule or not. For information on ASR rule exclusion see @@ -77,14 +77,7 @@ Before you roll out attack surface reduction rules in your organization, select The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are: - **Better prospects for seeing the impact of attack surface reduction rules** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent. -- **Ease in determining exclusions for attack surface reduction rules** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set. - -> [!IMPORTANT] -> You can implement the process of applying ASR rules to a smaller device set by utilizing dynamic membership rules. - -**How to configure dynamic membership rules** - - +- **Ease in determining exclusions for attack surface reduction rules** - Testing attack surface reduction rules on a smaller set of devices gives you flexibility in identifying and defining exclusions. You can determine whether any devices are not applicable for attack surface reduction rules. ## Use code signing for applications From 4924722b91522b38ecd02482824b7d2734ec7fed Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 13:53:12 -0800 Subject: [PATCH 293/304] ASR content updates --- windows/security/threat-protection/TOC.md | 1 - ...ractices-attack-surface-reduction-rules.md | 159 ------------------ 2 files changed, 160 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index e62fbe4434..805b02475c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -82,7 +82,6 @@ #### [Attack surface reduction controls]() ##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) -##### [Best practices with attack surface reduction rules](microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md) ##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) ##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md) ##### [View attack surface reduction events](microsoft-defender-atp/event-views.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md deleted file mode 100644 index a4d1e2ca6c..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md +++ /dev/null @@ -1,159 +0,0 @@ ---- -title: Tips and best practices for attack surface reduction rules -description: Prevent issues from arising with your attack surface reduction rules by following these best practices -keywords: Microsoft Defender ATP, attack surface reduction, best practices -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -author: denisebmsft -ms.author: deniseb -manager: dansimp -ms.reviewer: jcedola -audience: ITPro -ms.topic: article -ms.prod: w10 -ms.localizationpriority: medium -ms.custom: -- asr -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint ---- - -# Tips and best practices for attack surface reduction rules - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -**Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -Attack surface reduction rules help reduce vulnerabilities by targeting certain software behaviors. These behaviors include: - -- Launching executable files and scripts that attempt to download or run files; -- Running obfuscated or otherwise suspicious scripts; and -- Performing behaviors that apps don't usually initiate during normal day-to-day work. - -This article includes tips, best practices, and important considerations regarding attack surface reduction rules. - - - -## Results of applying ASR rules - -- The process of applying ASR rules on devices provides scope to query for reports. These queries can be implemented in the form of templates. - - - -- Once applying ASR rules to devices leads to querying for reports, there are a few sources from which reports can be queried. One of such sources is the [Microsoft 365 security center](https://security.microsoft.com) - - - -## Applicable to rule states - -This section describes the best practices with regard to the states which any ASR rule can be set to, irrespective of the method used to configure or deploy the ASR rule. - -Prior to describing the best pratices for the ASR rules' states, it is important to know the states which an ASR rule can be set to: - -- **Not configured**: This is the state in which the ASR rule has been disabled. The code for this state is 0. -- **Block**: This is the state in which the ASR rule is enabled. YThe code for this state is 1. -- **Audit**: This is the state in which the ASR rule is evaluated about its impactive behavior toward the organization or environment in which it is deployed. - -## Recommendation - -The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best practice are: - -1. **Access to logs and reviews**: When an ASR rule is set to **audit** mode, you can get access to the logs and reviews pertaining to it. These logs and reviews are data that helps you to analyze the impact of the ASR rule. -2. **Rule-related decision**: The analysis findings guided by the logs and reviews help you take a decision whether to deploy or exclude the ASR rule or not. For information on ASR rule exclusion see - - - - - -## Use a phased approach - -Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. - -The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are: - -- **Better prospects for seeing the impact of attack surface reduction rules** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent. -- **Ease in determining exclusions for attack surface reduction rules** - Testing attack surface reduction rules on a smaller set of devices gives you flexibility in identifying and defining exclusions. You can determine whether any devices are not applicable for attack surface reduction rules. - -## Use code signing for applications - -As a best practice, use code signing for all the applications and scripts that your organization is using. This includes internally developed applications. Using code signing helps avoid false positives with attack surface reduction rules. It can also help avoid issues with attack surface reduction rules for developers and other users within your organization. - -## View reports from various sources in Microsoft - -### From the Microsoft 365 security center - -In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. (MORE TO COME!) - -To retrieve and view the reports generated in ([https://security.microsoft.com](https://security.microsoft.com)), ensure that the device for which you seek a report is onboarded on to Microsoft Defender ATP. - -### By Microsoft Defender ATP advanced hunting - -Advanced hunting is a query-based threat-hunting tool of Microsoft Defender ATP. This tool generates reports based on the findings of the threat-hunting process. - -The **advanced hunting** tool enables the users to audit the **Of-the-last-30-days** data collected from various devices by Microsoft Defender ATP Endpoint Detection and Response (EDR). It facilitates proactive logging of any suspicious indicators and entities in the events that you explore. This tool provides flexibility in accessing data (without any restriction in category of data to be accessed). This flexibility enables the user to detect known threats and spot new threats. - -The reports for the ASR rules' events are generated by querying the **DeviceEvents** table. - -**Template of DeviceEvents table** - -DeviceEvents -| where Timestamp > ago (30d) -| where ActionType startswith "Asr" -| summarize EventCount=count () by ActionType - -**Procedure** - -1. Navigate to **Advanced hunting** module in the **Microsoft Defender Security Center** portal. -2. Click **Query**. -3. Click **+ New** to create a new query. -4. Click **Run query**. The report based on the query parameters (specified in the **Template of DeviceEvents table** section) is generated. - -### By Microsoft Defender ATP machine timeline - -Machine timeline is another report-generating source in Microsoft Defender ATP, but with a narrower scope. - -Reports relating to ASR rule events can be generated for the preceding-6-months period on a specific endpoint or device. - -**Summarized procedure to generate report** - -1. Log in to **Microsoft Defender Security Center** and navigate to the **Machines** tab. -2. Choose a machine for which you want to view the reports of its ASR rule-related events. -3. Click **Timeline** and choose the time range for which the report is to display data. - - -## Get the Power BI report template - - - -## Avoid policy conflicts - -If a conflicting policy has emerged as a result of a policy being applied from Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM takes precedence. For more information, see [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules). - -You can now create a superset of policies for attack surface reduction rules that apply to [MEM-managed devices](/mem/intune/enrollment/device-management-capabilities). When you do this, only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either of the profiles would be deployed. Attack surface reduction rule merge behavior works like this: - -| Situation | What happens | -|:---|:---| -| Two or more policies have multiple settings configured | The settings that do not conflict are merged into the superset of the policies they are mapped to. | -| Two or more policies have a conflict with a single setting | Only the single setting with a conflict is held back from being merged into the superset of the policies.

The bundle of settings as a whole is not held back from being merged into the superset because of a single conflict-affected setting.

The policy as a whole is not flagged as **being in conflict**. | - -The policy superset can include settings from the following profiles: -- Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction. -- Endpoint security > Attack surface reduction policy > Attack surface reduction rules. -- Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Profiles > Profile Name > Properties > Configuration settings > Attack Surface Reduction Rules - -## See the demystifying blogs - -The following table lists several blog posts that you might find helpful. All of these blogs are hosted on the [Microsoft Tech Community site](https://techcommunity.microsoft.com), under [Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog). - -|Blog |Description | -|---------|---------| -|[Demystifying attack surface reduction rules - Part 1: Why and What](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) | Get a quick overview of the Why and the What through eight questions and answers. | -|[Demystifying attack surface reduction rules - Part 2: How](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565) | See how to configure attack surface reduction rules, how exclusions work, and how to define exclusions. | -|[Demystifying attack surface reduction rules - Part 3: Reports and Troubleshooting](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-3/ba-p/1360968) | Learn how to view reports and information about attack surface reduction rules and their status, and how to troubleshoot issues with rule impact and operations. | -|[Demystifying attack surface reduction rules - Part 4: Migrating](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-4/ba-p/1384425) | If you're currently using a non-Microsoft host intrusion prevention system (HIPS) and are evaluating or migrating to attack surface reduction capabilities in Microsoft Defender for Endpoint, see this blog. You'll see how custom rules you were using with your HIPS solution can map to attack surface reduction rules in Microsoft Defender for Endpoint. | - From 70580c16ad5f361a79660284ce0d5bbcd47d1c76 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 13:58:12 -0800 Subject: [PATCH 294/304] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 8602493f71..b6ab784185 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -42,7 +42,7 @@ Controlled folder access works best with [Microsoft Defender for Endpoint](../mi Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. -Controlled folder access works with a list of trusted apps. If an app is included in the list of trusted software, it works as expected. If not, the app is prevented from making any changes to files that are inside protected folders. +Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the list are prevented from making any changes to files inside protected folders. Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically. @@ -52,7 +52,7 @@ Apps can also be added manually to the trusted list by using Configuration Manag Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add more folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. @@ -131,4 +131,4 @@ You can use the Windows Security app to view the list of folders that are protec - [Evaluate controlled folder access](evaluate-controlled-folder-access.md) - [Customize controlled folder access](customize-controlled-folders.md) -- [Protect additional folders](customize-controlled-folders.md#protect-additional-folders) +- [Protect more folders](customize-controlled-folders.md#protect-additional-folders) From b3579aab3320bead1ea7ef70196acda23e07aa43 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 14:00:38 -0800 Subject: [PATCH 295/304] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 0835bbe05e..bce0f8e035 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -43,11 +43,11 @@ For more information about configuring attack surface reduction rules, see [Enab ## Assess rule impact before deployment -You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). +You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). :::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule"::: -In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity. +In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity. ## Audit mode for evaluation From 49b748a730aa40bc625bc3b57a406143667092bf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 3 Feb 2021 14:04:00 -0800 Subject: [PATCH 296/304] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index bce0f8e035..846bc4dbca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -51,7 +51,7 @@ In the recommendation details pane, check for user impact to determine what perc ## Audit mode for evaluation -Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity. ## Warn mode for users @@ -95,13 +95,13 @@ Notifications and any alerts that are generated can be viewed in the Microsoft D You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour. -For example, suppose that an attack surface reduction event occurs on ten devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on ten devices), and its timestamp will be 2:15 PM. +For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM. For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md). ## Attack surface reduction features across Windows versions -You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows: - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later @@ -169,9 +169,9 @@ If you are configuring attack surface reduction rules by using Group Policy or P ### Block Adobe Reader from creating child processes -This rule prevents attacks by blocking Adobe Reader from creating additional processes. +This rule prevents attacks by blocking Adobe Reader from creating processes. -Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. +Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. This rule was introduced in: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) @@ -188,7 +188,7 @@ GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access. -Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. +Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) @@ -353,7 +353,7 @@ GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. -This rule protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. +This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. > [!NOTE] > This rule applies to Outlook and Outlook.com only. @@ -426,7 +426,7 @@ GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` This rule prevents VBA macros from calling Win32 APIs. -Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. +Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) From 7ca558ba2347ccad48dd3db0e644a6c10f5b306f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 3 Feb 2021 16:02:31 -0800 Subject: [PATCH 297/304] Added automatic image border, indented note in list item --- ...er-application-control-policies-using-intune.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 1f84641636..d44af33f24 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -58,15 +58,20 @@ Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationCo The steps to use Intune's Custom OMA-URI functionality are: 1. Know a generated policy's GUID, which can be found in the policy xml as `` + 2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. + 3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. + 4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**. + 5. Add a row, then give your policy a name and use the following settings: - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy - **Data type**: Base64 - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. - ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) + > [!div class="mx-imgBorder"] + > ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) #### Removing policies @@ -78,15 +83,18 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: 1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. + 2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. + 3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**. + 4. Add a row, then give your policy a name and use the following settings: - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy) - **Data type**: Base64 - **Certificate file**: upload your binary format policy file -> [!NOTE] -> Deploying policies via the AppLocker CSP will force a reboot during OOBE. + > [!NOTE] + > Deploying policies via the AppLocker CSP will force a reboot during OOBE. #### Removing policies From 68a4c1dddae4e0ab457802d54180545168b58ce9 Mon Sep 17 00:00:00 2001 From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com> Date: Wed, 3 Feb 2021 16:28:12 -0800 Subject: [PATCH 298/304] Update Onboard-Windows-10-multi-session-device.md --- .../Onboard-Windows-10-multi-session-device.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index 1f03573655..7f1df6920d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -25,9 +25,6 @@ ms.technology: mde Applies to: - Windows 10 multi-session running on Windows Virtual Desktop (WVD) -> [!WARNING] -> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported. - Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. ## Before you begin From b7ff50c0ecc9ad5290c8b2f796714d4b0a315b5f Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 3 Feb 2021 16:31:28 -0800 Subject: [PATCH 299/304] Default update for AutomaticMaintenanceWakeUp --- windows/client-management/mdm/policy-csp-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index df70a21a7c..ac89864af8 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1113,8 +1113,8 @@ ADMX Info: Supported values: -- 0 - Disable (Default) -- 1 - Enable +- 0 - Disable +- 1 - Enable (Default) From 650ec848bbef230bfad7b9992a99daecc0c44bbe Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 3 Feb 2021 16:55:50 -0800 Subject: [PATCH 300/304] Fixed list of categories that was displayed as a paragraph --- .../mdm/policy-csp-update.md | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index ac89864af8..8698b88092 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1733,18 +1733,19 @@ OS upgrade: Update: - Maximum deferral: 1 month - Deferral increment: 1 week -- Update type/notes: - If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 +- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic: + + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 Other/cannot defer: + - Maximum deferral: No deferral - Deferral increment: No deferral - Update type/notes: From b8132898d8b37a888292975338cca8616418d5a4 Mon Sep 17 00:00:00 2001 From: MatiG Date: Thu, 4 Feb 2021 16:28:24 +0200 Subject: [PATCH 301/304] change default to prod --- .../linux-install-manually.md | 36 +++++++++++++------ 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index c45701fbed..f41fa4b080 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -32,10 +32,18 @@ ms.technology: mde This article describes how to deploy Microsoft Defender for Endpoint for Linux manually. A successful deployment requires the completion of all of the following tasks: -- [Configure the Linux software repository](#configure-the-linux-software-repository) -- [Application installation](#application-installation) -- [Download the onboarding package](#download-the-onboarding-package) -- [Client configuration](#client-configuration) +- [Deploy Microsoft Defender for Endpoint for Linux manually](#deploy-microsoft-defender-for-endpoint-for-linux-manually) + - [Prerequisites and system requirements](#prerequisites-and-system-requirements) + - [Configure the Linux software repository](#configure-the-linux-software-repository) + - [RHEL and variants (CentOS and Oracle Linux)](#rhel-and-variants-centos-and-oracle-linux) + - [SLES and variants](#sles-and-variants) + - [Ubuntu and Debian systems](#ubuntu-and-debian-systems) + - [Application installation](#application-installation) + - [Download the onboarding package](#download-the-onboarding-package) + - [Client configuration](#client-configuration) + - [Log installation issues](#log-installation-issues) + - [Operating system upgrades](#operating-system-upgrades) + - [Uninstallation](#uninstallation) ## Prerequisites and system requirements @@ -71,7 +79,13 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo ``` - For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insiders-fast* channel: + For example, if you are running CentOS 7 and wish to deploy MDE for Linux from the *prod* channel: + + ```bash + sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/prod.repo + ``` + + Or if you wish to explore new features on selected devices, you might want to deploy MDE for Linux to *insiders-fast* channel: ```bash sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo @@ -99,10 +113,10 @@ In order to preview new features and provide early feedback, it is recommended t sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo ``` - For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insiders-fast* channel: + For example, if you are running SLES 12 and wish to deploy MDE for Linux from the *prod* channel: ```bash - sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo + sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/config/sles/12/prod.repo ``` - Install the Microsoft GPG public key: @@ -133,10 +147,10 @@ In order to preview new features and provide early feedback, it is recommended t curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list ``` - For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insiders-fast* channel: + For example, if you are running Ubuntu 18.04 and wish to deploy MDE for Linux from the *prod* channel: ```bash - curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list + curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list ``` - Install the repository configuration: @@ -144,10 +158,10 @@ In order to preview new features and provide early feedback, it is recommended t ```bash sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list ``` - For example, if you chose *insiders-fast* channel: + For example, if you chose *prod* channel: ```bash - sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list + sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list ``` - Install the `gpg` package if not already installed: From 845958b66d328bfa36723e14c91065249fb96398 Mon Sep 17 00:00:00 2001 From: MatiG Date: Thu, 4 Feb 2021 17:30:24 +0200 Subject: [PATCH 302/304] "closest" meaning --- .../microsoft-defender-atp/linux-install-manually.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index f41fa4b080..046ec05444 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -68,7 +68,7 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum install yum-utils ``` -- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. +- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/`. For instance, RHEL 7.9 is closer to 7.4 than to 8. In the below commands, replace *[distro]* and *[version]* with the information you've identified: @@ -105,7 +105,7 @@ In order to preview new features and provide early feedback, it is recommended t ### SLES and variants -- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. +- Note your distribution and version, and identify the closest entry(by major, then minor) for it under `https://packages.microsoft.com/config/`. In the following commands, replace *[distro]* and *[version]* with the information you've identified: @@ -139,7 +139,7 @@ In order to preview new features and provide early feedback, it is recommended t sudo apt-get install libplist-utils ``` -- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`. +- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config`. In the below command, replace *[distro]* and *[version]* with the information you've identified: From 5de115d5a01426ef854582bc19e44bb1430bb386 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 4 Feb 2021 07:35:49 -0800 Subject: [PATCH 303/304] Update Onboard-Windows-10-multi-session-device.md --- ...Onboard-Windows-10-multi-session-device.md | 35 +++++++++---------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index 7f1df6920d..a03a960bb6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -13,14 +13,13 @@ ms.topic: article author: dansimp ms.author: dansimp ms.custom: nextgen -ms.date: 09/10/2020 +ms.date: 02/04/2021 ms.reviewer: manager: dansimp ms.technology: mde --- # Onboard Windows 10 multi-session devices in Windows Virtual Desktop -6 minutes to read Applies to: - Windows 10 multi-session running on Windows Virtual Desktop (WVD) @@ -28,37 +27,37 @@ Applies to: Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. ## Before you begin -Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts. +Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts. > [!NOTE] -> Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either: +> Depending on your choice of onboarding method, devices can appear in MMicrosoft Defender Security Center as either: > - Single entry for each virtual desktop > - Multiple entries for each virtual desktop -Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. +Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. -Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. +Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. > [!NOTE] > The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. -### Scenarios +## Scenarios There are several ways to onboard a WVD host machine: - Run the script in the golden image (or from a shared location) during startup. - Use a management tool to run the script. -#### *Scenario 1: Using local group policy* +### Scenario 1: Using local group policy This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process. Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Follow the instructions for a single entry for each device. -#### *Scenario 2: Using domain group policy* +### Scenario 2: Using domain group policy This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way. -**Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center** +#### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center 1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. - Select Windows 10 as the operating system. @@ -66,7 +65,7 @@ This scenario uses a centrally located script and runs it using a domain-based g - Click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**. -**Use Group Policy management console to run the script when the virtual machine starts** +#### Use Group Policy management console to run the script when the virtual machine starts 1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**. 1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7). @@ -81,7 +80,7 @@ Enter the following: Click **OK** and close any open GPMC windows. -#### *Scenario 3: Onboarding using management tools* +### Scenario 3: Onboarding using management tools If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager. @@ -93,18 +92,18 @@ For more information, see: [Onboard Windows 10 devices using Configuration Manag > [!TIP] > After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test). -#### Tagging your machines when building your golden image +## Tagging your machines when building your image As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see [Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value). -#### Other recommended configuration settings +## Other recommended configuration settings -When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings). +When building your image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings). In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection: -**Exclude Files:** +### Exclude Files > %ProgramFiles%\FSLogix\Apps\frxdrv.sys
> %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
@@ -116,12 +115,12 @@ In addition, if you are using FSlogix user profiles, we recommend you exclude th > \\storageaccount.file.core.windows.net\share\*\*.VHD
> \\storageaccount.file.core.windows.net\share\*\*.VHDX
-**Exclude Processes:** +### Exclude Processes > %ProgramFiles%\FSLogix\Apps\frxccd.exe
> %ProgramFiles%\FSLogix\Apps\frxccds.exe
> %ProgramFiles%\FSLogix\Apps\frxsvc.exe
-#### Licensing requirements +## Licensing requirements Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements). From 6f46373573a78e6cde7c9d40b292d4805d31e877 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 4 Feb 2021 11:08:59 -0800 Subject: [PATCH 304/304] pencil edit --- .../Onboard-Windows-10-multi-session-device.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index a03a960bb6..3abe07fc71 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -30,7 +30,7 @@ Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts. > [!NOTE] -> Depending on your choice of onboarding method, devices can appear in MMicrosoft Defender Security Center as either: +> Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either: > - Single entry for each virtual desktop > - Multiple entries for each virtual desktop