deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 20:03:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into MDBranchPhase2bPoliciesSet3

Browse Source
This commit is contained in:
ManikaDhiman
2020-12-16 09:51:37 -08:00
parent b440abef57 4c71187384
commit 567f9bc9ee
26 changed files with 124 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/get-product-package.md
View File

@ -1,6 +1,6 @@
---
title: Get product package
description: The Get product package operation retrieves the information about a specific application in the Micosoft Store for Business.
description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business.
ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F
ms.reviewer:
manager: dansimp
@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get product package
The **Get product package** operation retrieves the information about a specific application in the Micosoft Store for Business.
The **Get product package** operation retrieves the information about a specific application in the Microsoft Store for Business.
## Request

4
windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
View File

@ -51,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet.
## Procedures
1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass@word1** and click **Next**.
2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and click **Next**.
3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
5. The operating system deployment will take several minutes to complete.
@ -99,4 +99,4 @@ Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Ma
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>

4
windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -129,7 +129,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach
On **DC01**:
1. Sign in as contoso\administrtor and enter the following at an elevated Windows PowerShell prompt:
1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt:
```
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
@ -389,4 +389,4 @@ You can create reference images for Configuration Manager in Configuration Manag
[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)

2
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -283,7 +283,7 @@ This section contains several procedures to support Zero Touch installation with
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
4. Click the yellow starburst and then click **New Account**.
5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
6. Next to **Password** and **Confirm Password**, type **pass@word1**, and then click **OK** twice.
6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then click **OK** twice.
### Configure a boundary group

16
windows/deployment/windows-10-poc.md
View File

@ -214,7 +214,7 @@ Starting with Windows 8, the host computers microprocessor must support secon
2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
<pre style="overflow-y: visible">Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V All</pre>
<pre style="overflow-y: visible">Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All</pre>
This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
@ -542,8 +542,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
<pre style="overflow-y: visible">
Resize-VHD Path c:\VHD\2012R2-poc-2.vhd SizeBytes 100GB
$x = (Mount-VHD Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
$x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
</pre>
@ -551,7 +551,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible">
Get-Volume -DriveLetter $x
Dismount-VHD Path c:\VHD\2012R2-poc-2.vhd</pre>
Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd</pre>
### Configure Hyper-V
@ -712,7 +712,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible">
Rename-Computer DC1
New-NetIPAddress InterfaceAlias Ethernet IPAddress 192.168.0.1 PrefixLength 24 -DefaultGateway 192.168.0.2
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
</pre>
@ -749,7 +749,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
netsh dhcp add securitygroups
Restart-Service DHCPServer
Add-DhcpServerInDC dc1.contoso.com 192.168.0.1
Set-ItemProperty Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 Name ConfigurationState Value 2
Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2
</pre>
10. Next, add a DHCP scope and set option values:
@ -886,7 +886,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible">
Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
Copy-VMFile "PC1" SourcePath "C:\VHD\pc1.ps1" DestinationPath "C:\pc1.ps1" CreateFullPath FileSource Host
Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
</pre>
>In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
@ -917,7 +917,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible">
Rename-Computer SRV1
New-NetIPAddress InterfaceAlias Ethernet IPAddress 192.168.0.2 PrefixLength 24
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
Restart-Computer
</pre>

2
windows/deployment/windows-10-subscription-activation.md
View File

@ -91,7 +91,7 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products &
For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
#### Multi-factor authentication

24
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -66,26 +66,18 @@ You configure Windows 10 to use the Microsoft PIN Reset service using the comput
3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
### Configure Windows devices to use PIN reset using Microsoft Intune
To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
#### Create a PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account.
2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.</br>
1. Sign-in to [Enpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
2. Click **Endpoint Security**-> **Account Protection**-> **Properties**.
3. Set **Enable PIN recovery** to **Yes**.
```
dsregcmd /status | findstr -snip "tenantid"
```
> [!NOTE]
> You can also setup PIN recovery using configuration profiles.
> 1. Sign in to Endpoint Manager.
> 2. Click **Devices** -> **Configuration Profiles** -> Create a new profile or edit an existing profile using the Identity Protection profile type.
> 3. Set **Enable PIN recovery** to **Yes**.
1. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
1. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list.
1. In the **Custom OMA-URI Settings** blade, Click **Add**.
1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where <b>*tenant ID*</b> is your Azure Active Directory tenant ID from step 2.
1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
1. Click **OK** to save the row configuration. Click **OK** to close the <b>Custom OMA-URI Settings blade. Click **Create</b> to save the profile.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.

78
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -532,15 +532,12 @@ The Intune Certificate Connector application enables Microsoft Intune to enroll
### Download Intune Certificate Connector
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
![Microsoft Intune Console](images/aadjcert/microsoftintuneconsole.png)
3. Select **Device Configuration**, and then select **Certificate Connectors**.
![Intune Certificate Authority](images/aadjcert/intunedeviceconfigurationcertauthority.png)
4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section.
![Intune Download Certificate connector](images/aadjcert/intunedownloadcertconnector.png)
5. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
6. Sign-out of the Azure Portal.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
![Intune Certificate Authority](images/aadjcert/profile01.png)
4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
5. Sign-out of the Microsoft Endpoint Manager admin center.
### Install the Intune Certificate Connector
Sign-in the NDES server with access equivalent to _domain administrator_.
@ -639,47 +636,42 @@ Sign-in a workstation with access equivalent to a _domain user_.
### Create a SCEP Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
3. Select **Device Configuration**, and then click **Profiles**.
4. Select **Create Profile**.
![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png)
5. Select **Windows 10 and later** from the **Platform** list.
6. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
7. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
8. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
9. Select **User** as a certificate type.
10. Configure **Certificate validity period** to match your organization.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**.
3. Select **Create Profile**.
![Intune Device Configuration Create Profile](images/aadjcert/profile02.png)
4. Select **Windows 10 and later** from the **Platform** list.
5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
8. Select **User** as a certificate type.
9. Configure **Certificate validity period** to match your organization.
> [!IMPORTANT]
> Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
12. Select **Custom** from the **Subject name format** list.
13. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
14. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
15. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
16. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png)
17. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
18. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png)
19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
20. Click **Next**.
21. Click **Next** two more times to skip the **Scope tags** and **Assignments** steps of the wizard and click **Create**.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
![WHFB SCEP certificate Profile EKUs](images/aadjcert/profile03.png)
17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
18. Click **Next**.
19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
3. Select **Device Configuration**, and then click **Profiles**.
4. Click **WHFB Certificate Enrollment**.
![WHFB Scep Profile landing](images/aadjcert/intunewhfbscepprofile-04.png)
5. Click **Assignments**.
6. In the **Assignments** pane, Click **Include**. Select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
![WHFB SCEP Profile Assignment](images/aadjcert/intunewhfbscepprofileassignment.png)
7. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
8. Click **Save**.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**.
3. Click **WHFB Certificate Enrollment**.
4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png)
6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
7. Click **Review + Save**, and then **Save**.
You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile02.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile03.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile04.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

2
windows/security/identity-protection/vpn/vpn-name-resolution.md
View File

@ -52,7 +52,7 @@ Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node.
## Persistent
You can also configure *persistent* name resolution rules. Name resolution for specified items will only performed over VPN.
You can also configure *persistent* name resolution rules. Name resolution for specified items will only be performed over the VPN.
Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.

3
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -37,6 +37,9 @@ Most of the BitLocker Group Policy settings are applied when BitLocker is initia
If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group
Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
> [!NOTE]
> For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker).
## <a href="" id="bkmk-gptop"></a>BitLocker Group Policy settings
The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.

2
windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
View File

@ -56,7 +56,7 @@ For more information about the specific network-connectivity requirements to ens
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
## Use Microsoft Endpoint Configuration Manager to turn on cloud-delivered protection
## Use Microsoft Endpoint Manager to turn on cloud-delivered protection
1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
2. Choose **Endpoint security** > **Antivirus**.

16
windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
View File

@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
ms.date: 12/10/2020
ms.date: 12/14/2020
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
@ -43,7 +43,7 @@ EDR in block mode is also integrated with [threat & vulnerability management](ht
## What happens when something is detected?
When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
@ -83,11 +83,11 @@ The following image shows an instance of unwanted software that was detected and
### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?
We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Microsoft Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
### Will EDR in block mode have any impact on a user's antivirus protection?
No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
### Why do I need to keep Microsoft Defender Antivirus up to date?
@ -99,9 +99,7 @@ Cloud protection is needed to turn on the feature on the device. Cloud protectio
## See also
[Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
[Behavioral blocking and containment](behavioral-blocking-containment.md)
[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus)
- [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
- [Behavioral blocking and containment](behavioral-blocking-containment.md)
- [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus)

5
windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
View File

@ -21,7 +21,10 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender for Endpoint(https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>[!NOTE]
>If you are a US Gov customer, please refer to API endpoints listed in [here](gov.md#api).
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

14
windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
View File

@ -52,16 +52,12 @@ To have your company listed as a partner in the in-product partner page, you wil
6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
Follow these steps:
1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender for Endpoint-integrated product with the version of the product that includes this integration.
- ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`
- Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}`
- Set the User-Agent field in each HTTP request header to the name based on the Following nomenclature.
- `MsdePartner-{CompanyName}-{ProductName}/{Version}`
- For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`
- Set the User-Agent field in each HTTP request header to the below format.
- `MdePartner-{CompanyName}-{ProductName}/{Version}`
- For example, User-Agent: `MdePartner-Contoso-ContosoCognito/1.0.0`
- For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43).

6
windows/security/threat-protection/microsoft-defender-atp/gov.md
View File

@ -40,7 +40,7 @@ The following OS versions are supported:
- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/help/4490481))
>[!NOTE]
A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
>A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
The following OS versions are supported via Azure Security Center:
- Windows Server 2008 R2 SP1
@ -108,4 +108,8 @@ Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```
Defender for Endpoint GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net```
## API
Login endpoint: ```https://login.microsoftonline.us```
Microsoft Defender for Endpoint API endpoint: ```https://api-gov.securitycenter.microsoft.us```

BIN
windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 315 KiB

After

Width:  |  Height:  |  Size: 312 KiB

68
windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
View File

@ -20,7 +20,7 @@ ms.topic: article
ms.date: 04/24/2018
---
# Investigate Microsoft Defender Advanced Threat Protection alerts
# Investigate alerts in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -35,70 +35,40 @@ ms.date: 04/24/2018
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
Click an alert to see the alert details view and the various tiles that provide information about the alert.
Select an alert from the alerts queue to go to alert page. This view contains the alert title, the affected assets, the details side pane, and the alert story.
From the alert details view, you can manage an alert and see alert data such as severity, category, technique, along with other information that can help you make better decisions on how to approach them.
From the alert page, begin your investigation by selecting the affected assets or any of the entities under the alert story tree view. The details pane automatically populates with further information about what you selected. To see what kind of information you can view here, read [Review alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).
The techniques reflected in the card are based on [MITRE enterprise techniques](https://attack.mitre.org/techniques/enterprise/).
## Investigate using the alert story
You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
![Image of the alert page](images/atp-alert-view.png)
Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the device or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
Expand entities to view details at a glance. Selecting an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Selecting *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
For more information about managing alerts, see [Manage alerts](manage-alerts.md).
> [!NOTE]
> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png)
You can click on the device link from the alert view to navigate to the device. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Device timeline**. If the alert appeared more than once on the device, the latest occurrence will be displayed in the **Device timeline**.
## Take action from the details pane
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information when it's available, and offer controls to **take action** on this entity directly from the alert page.
![A detailed view of an alert when clicked](images/atp-actor-alert.png)
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
If you classify it as a true alert, you can also select a determination, as shown in the image below.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
![Image of detailed actor profile](images/atp-detailed-actor.png)
If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
## Alert process tree
The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page.
> [!TIP]
> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
![Image of the alert process tree](images/atp-alert-process-tree.png)
The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
>[!NOTE]
>The alert process tree might not show for some alerts, including alerts not triggered directly by process activity.
Clicking in the circle immediately to the left of the indicator displays its details.
![Image of the alert details pane](images/atp-alert-mgt-pane.png)
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page while remaining on the alert page, so you never leave the current context of your investigation.
## Incident graph
The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other devices. It provides a graphical mapping from the original device and evidence expanding to show other devices in the organization where the triggering evidence was also observed.
![Image of the Incident graph](images/atp-incident-graph.png)
The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate.
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other devices where the matching criteria were observed.
## Artifact timeline
The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the device, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the device. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the device earlier - without triggering an alert.
![Image of artifact timeline](images/atp-alert-timeline.png)
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
## Related topics
- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)

2
windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
View File

@ -132,8 +132,6 @@ More details about certain events are provided in the **Additional information**
- Suspicious script detected - a potentially malicious script was found running
- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided
You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific device.
#### Event details
Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.

5
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -143,6 +143,11 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
```
For example, if you chose *insiders-fast* channel:
```bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list
```
- Install the `gpg` package if not already installed:

8
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -13,9 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
---
@ -90,7 +90,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Group |Scenario |Command |
|-------------|-------------------------------------------|----------------------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` |
|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled/disabled]` |
|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` |
|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` |
|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` |

45
windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
View File

@ -33,21 +33,21 @@ The alert page in Microsoft Defender for Endpoint provides full context to the a
Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5]
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4yiO5]
## Getting started with an alert
Clicking on an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
Selecting an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page.
2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions.
3. [**The alert story**](#investigate-using-the-alert-story) displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page.
4. [**The details pane**](#take-action-from-the-details-pane) will show the details of the selected alert at first, with details and actions related to this alert. If you click on any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
3. The **alert story** displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. Use the alert story to start your investigation. Learn how in [Investigate alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts).
4. The **details pane** will show the details of the selected alert at first, with details and actions related to this alert. If you select any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
![An alert page when you first land on it](images/alert-landing-view.png)
Note the detection status for your alert. Blocked, prevented, or remediated means actions were already taken by Defender for Endpoint.
Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions.
Note the detection status for your alert. Blocked, or prevented means actions were already taken by Defender for Endpoint.
Start by reviewing the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions.
![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png)
@ -55,42 +55,13 @@ Other information available in the details pane when the alert opens includes MI
## Review affected assets
Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
Selecting a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view.
- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can click *Open user page* to continue the investigation from that user's point of view.
- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view.
![A snippet of the details pane when a device is selected](images/alert-device-details.png)
## Investigate using the alert story
The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
Expand entities to view details at-a-glance about them. Clicking on an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Clicking on *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
> [!NOTE]
> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png)
## Take action from the details pane
Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information, when its available, and offer controls to **take action** on this entity directly from the alert page.
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
If you classify it as a true alert, you can also select a determination, as shown in the image below.
![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
> [!TIP]
> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
## Related topics

3
windows/security/threat-protection/security-policy-settings/maximum-password-age.md
View File

@ -39,6 +39,9 @@ The **Maximum password age** policy setting determines the period of time (in da
Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources.
> [!NOTE]
> The security baseline recommended by Microsoft doesn't contain the password-expiration policy, as it is less effective than modern mitigations. However, companies that didn't implement Azure AD Password Protection, multifactor authentication, or other modern mitigations of password-guessing attacks, should leave this policy in effect.
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**