- Enable this policy setting
- Set Allow Telemetry to level 2 (Enhanced)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 4eb6ccaccf..fb0f2d5519 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Update
-> [!NOTE]
-> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
@@ -1927,7 +1925,7 @@ ADMX Info:
-Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
@@ -2920,7 +2918,7 @@ The following list shows the supported values:
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+Added in Windows 10, version 1607. Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later.
@@ -2936,7 +2934,7 @@ ADMX Info:
The following list shows the supported values:
- 0 (default) – Feature Updates are not paused.
-- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
+- 1 – Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
@@ -2987,7 +2985,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
+Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
@@ -3049,7 +3047,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+Added in Windows 10, version 1607. Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead.
@@ -3116,7 +3114,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
+Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
new file mode 100644
index 0000000000..a00be7e6d7
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -0,0 +1,561 @@
+---
+title: Policy CSP - WindowsSandbox
+description: Policy CSP - WindowsSandbox
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 10/14/2020
+---
+
+# Policy CSP - WindowsSandbox
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+
+## WindowsSandbox policies
+
+
+ -
+ WindowsSandbox/AllowAudioInput
+
+ -
+ WindowsSandbox/AllowClipboardRedirection
+
+ -
+ WindowsSandbox/AllowNetworking
+
+ -
+ WindowsSandbox/AllowPrinterRedirection
+
+ -
+ WindowsSandbox/AllowVGPU
+
+ -
+ WindowsSandbox/AllowVideoInput
+
+
+
+
+
+
+
+**WindowsSandbox/AllowAudioInput**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+  |
+
+
+ | Pro |
+  9 |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ 9 |
+
+
+ | Education |
+ 9 |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable audio input to the Sandbox.
+
+> [!NOTE]
+> There may be security implications of exposing host audio input to the container.
+
+If this policy is not configured, end-users get the default behavior (audio input enabled).
+
+If audio input is disabled, a user will not be able to enable audio input from their own configuration file.
+
+If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow audio input in Windows Sandbox*
+- GP name: *AllowAudioInput*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowClipboardRedirection**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ 9 |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ 9 |
+
+
+ | Education |
+ 9 |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox.
+
+If this policy is not configured, end-users get the default behavior (clipboard redirection enabled.
+
+If clipboard sharing is disabled, a user will not be able to enable clipboard sharing from their own configuration file.
+
+If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow clipboard sharing with Windows Sandbox*
+- GP name: *AllowClipboardRedirection*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowNetworking**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ 9 |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ 9 |
+
+
+ | Education |
+ 9 |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network.
+
+If this policy is not configured, end-users get the default behavior (networking enabled).
+
+If networking is disabled, a user will not be able to enable networking from their own configuration file.
+
+If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow networking in Windows Sandbox*
+- GP name: *AllowNetworking*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowPrinterRedirection**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ 9 |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ 9 |
+
+
+ | Education |
+ 9 |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox.
+
+If this policy is not configured, end-users get the default behavior (printer sharing disabled).
+
+If printer sharing is disabled, a user will not be able to enable printer sharing from their own configuration file.
+
+If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow printer sharing with Windows Sandbox*
+- GP name: *AllowPrinterRedirection*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowVGPU**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ 9 |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ 9 |
+
+
+ | Education |
+ 9 |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox.
+
+> [!NOTE]
+> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox.
+
+If this policy is not configured, end-users get the default behavior (vGPU is disabled).
+
+If vGPU is disabled, a user will not be able to enable vGPU support from their own configuration file.
+
+If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow vGPU sharing for Windows Sandbox*
+- GP name: *AllowVGPU*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 (default) - Disabled
+- 1 - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowVideoInput**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ 9 |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ 9 |
+
+
+ | Education |
+ 9 |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable video input to the Sandbox.
+
+> [!NOTE]
+> There may be security implications of exposing host video input to the container.
+
+If this policy is not configured, users get the default behavior (video input disabled).
+
+If video input is disabled, users will not be able to enable video input from their own configuration file.
+
+If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+- GP English Name: *Allow video input in Windows Sandbox*
+- GP name: *AllowVideoInput*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 (default) - Disabled
+- 1 - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+- 9 - Available in Windows 10, version 2010.
+
+
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index fcb23c170c..330dddba01 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -161,7 +161,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
@@ -239,7 +239,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is boolean. Supported operation is Get and Replace.
**InBoxApps/Welcome/CurrentBackgroundPath**
-
Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons).
+
Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
The data type is string. Supported operation is Get and Replace.
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 7eabdf0411..0ed8e1db70 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -43,7 +43,9 @@ To troubleshoot Stop error messages, follow these general steps:
2. As a best practice, we recommend that you do the following:
a. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
-
+ - [Windows 10, version 2004](https://support.microsoft.com/help/4555932)
+ - [Windows 10, version 1909](https://support.microsoft.com/help/4529964)
+ - [Windows 10, version 1903](https://support.microsoft.com/help/4498140)
- [Windows 10, version 1809](https://support.microsoft.com/help/4464619)
- [Windows 10, version 1803](https://support.microsoft.com/help/4099479)
- [Windows 10, version 1709](https://support.microsoft.com/help/4043454)
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index f708897928..7f7855bca2 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -16,7 +16,7 @@ manager: dansimp
In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
-> [Note]
+> [!NOTE]
> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide).
To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index f0c84c9b9b..8778dee89c 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -45,6 +45,9 @@
href: update/plan-define-strategy.md
- name: Delivery Optimization for Windows 10 updates
href: update/waas-delivery-optimization.md
+ items:
+ - name: Using a proxy with Delivery Optimization
+ href: update/delivery-optimization-proxy.md
- name: Best practices for feature updates on mission-critical devices
href: update/feature-update-mission-critical.md
- name: Windows 10 deployment considerations
@@ -196,6 +199,7 @@
- name: Data handling and privacy in Update Compliance
href: update/update-compliance-privacy.md
- name: Update Compliance schema reference
+ href: update/update-compliance-schema.md
items:
- name: WaaSUpdateStatus
href: update/update-compliance-schema-waasupdatestatus.md
diff --git a/windows/deployment/images/sigverif.png b/windows/deployment/images/sigverif.png
new file mode 100644
index 0000000000..0ed0c2fd0c
Binary files /dev/null and b/windows/deployment/images/sigverif.png differ
diff --git a/windows/deployment/update/delivery-optimization-proxy.md b/windows/deployment/update/delivery-optimization-proxy.md
new file mode 100644
index 0000000000..21e355ea15
--- /dev/null
+++ b/windows/deployment/update/delivery-optimization-proxy.md
@@ -0,0 +1,79 @@
+---
+title: Using a proxy with Delivery Optimization
+manager: laurawi
+description: Settings to use with various proxy configurations to allow Delivery Optimization to work
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Using a proxy with Delivery Optimization
+
+**Applies to**: Windows 10
+
+When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
+
+Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.
+
+For downloads that use Delivery Optimization to successfully use the proxy, you should set the proxy via Windows **Proxy Settings** or the Internet Explorer proxy settings.
+
+Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required.
+
+> [!NOTE]
+> We don't recommend that you use `netsh winhttp set proxy ProxyServerName:PortNumber`. Using this offers no auto-detection of the proxy, no support for an explicit PAC URL, and no authentication to the proxy. This setting is ignored by WinHTTP for requests that use auto-discovery (if an interactive user token is used).
+
+If a user is signed in, the system uses the Internet Explorer proxy.
+
+If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors.
+
+You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply.
+
+### Summary of settings behavior
+
+These tables summarize the behavior for various combinations of settings:
+
+With an interactive user signed in:
+
+|Named proxy set by using: |Delivery Optimization successfully uses proxy |
+|---------|---------|
+|Internet Explorer proxy, current user | Yes |
+|Internet Explorer proxy, device-wide | Yes |
+|netsh proxy | No |
+|Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, Internet Explorer proxy is used |
+|Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, Internet Explorer proxy is used |
+
+With NetworkService (if unable to obtain a user token from a signed-in user):
+
+|Named proxy set by using: |Delivery Optimization successfully uses proxy |
+|---------|---------|
+|Internet Explorer proxy, current user | No |
+|Internet Explorer proxy, device-wide | Yes |
+|netsh proxy | Yes |
+|Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, netsh proxy is used |
+|Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, netsh proxy is used |
+
+## Setting a device-wide Internet Explorer proxy
+
+You can set a device-wide proxy that will apply to all users including an interactive user, LocalSystem, and NetworkService by using the [Network Proxy CSP](https://docs.microsoft.com/windows/client-management/mdm/networkproxy-csp).
+
+Or, if you use Group Policy, you can apply proxy settings to all users of the same device by enabling the **Computer Configuration\ Administrative Templates\ Windows Components\ Internet Explorer\ Make proxy settings per-machine (rather than per-user)** policy.
+
+This policy is meant to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user, so if you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer. If you disable this policy or do not configure it, users of the same computer can establish their own proxy settings.
+
+## Using a proxy with Microsoft Connected Cache
+
+Starting with Windows 10, version 2004, you can use Connected Cache behind a proxy. In older versions, when you set Delivery Optimization to download from Connected Cache, it will bypass the proxy and try to connect directly to the Connected Cache server. This can cause failure to download.
+
+However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations).
+
+ ## Related articles
+
+- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](https://docs.microsoft.com/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp)
+- [How to use GPP Registry to uncheck automatically detect settings? ](https://docs.microsoft.com/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings)
+- [How to configure a proxy server URL and Port using GPP Registry?](https://docs.microsoft.com/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry)
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index 0331ff4981..93b16449ff 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -30,9 +30,9 @@ version of the software.
We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*.
-- **Feature updates:** Released twice per year, around March and September. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
+- **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
-- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
+- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
- **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
@@ -104,4 +104,3 @@ Your individual devices connect to Microsoft endpoints directly to get the updat
### Hybrid scenarios
It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
-
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 8af36e4df1..53779f741d 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -79,7 +79,7 @@ This table shows the correct sequence for applying the various tasks to the file
|Add latest cumulative update | | 15 | 21 |
|Clean up the image | 7 | 16 | 22 |
|Add Optional Components | | | 23 |
-|Add .Net and .Net cumulative updates | | | 24 |
+|Add .NET and .NET cumulative updates | | | 24 |
|Export image | 8 | 17 | 25 |
### Multiple Windows editions
@@ -90,7 +90,7 @@ The main operating system file (install.wim) contains multiple editions of Windo
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
-Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@@ -107,7 +107,7 @@ These examples are for illustration only, and therefore lack error handling. The
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
-```
+```powershell
function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Write-Host "$(Get-TS): Starting media refresh"
@@ -160,21 +160,21 @@ New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
-# Keep the original media, make a copy of it for the new, updateed media.
+# Keep the original media, make a copy of it for the new, updated media.
Write-Host "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
### Update WinRE
-The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its s are used for updating other s. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
+The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
It finishes by cleaning and exporting the image to reduce the image size.
> [!NOTE]
-> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary s in the recovery environment. The s that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
+> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary components in the recovery environment. The components that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
-```
+```powershell
# Mount the main operating system, used throughout the script
Write-Host "$(Get-TS): Mounting main OS"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
@@ -255,7 +255,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
-```
+```powershell
#
# update Windows Preinstallation Environment (WinPE)
#
@@ -345,11 +345,11 @@ Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
-Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
+Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
-You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
+You can install Optional Components, along with the .NET feature, offline, but that will require the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
-```
+```powershell
#
# update Main OS
#
@@ -398,14 +398,14 @@ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
#
# Note: If I wanted to enable additional Optional Components, I'd add these here.
-# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
+# In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
Write-Host "$(Get-TS): Adding NetFX3~~~~"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-# Add .Net Cumulative Update
+# Add .NET Cumulative Update
Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
@@ -422,7 +422,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests.
-```
+```powershell
#
# update remaining files on media
#
@@ -435,7 +435,7 @@ cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PA
As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
-```
+```powershell
#
# Perform final cleanup
#
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
index 45452dd15a..4438c95e54 100644
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@@ -1,5 +1,5 @@
---
-title: Update baseline
+title: Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, tools, group policy
ms.prod: w10
@@ -11,7 +11,7 @@ manager: laurawi
ms.topic: article
---
-# Update baseline
+# Update Baseline
**Applies to:** Windows 10
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index 8aaf66d309..8911262e12 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -48,6 +48,9 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+> [!NOTE]
+> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
+
### Group Policies
All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index 0305a83e2b..f5f19921c9 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -19,7 +19,11 @@ ms.topic: article
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
-You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
+> [!NOTE]
+> The Update Compliance configuration script does not offer options to configure Delivery Optimization. You have to do that separately.
+
+
+You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
## How the script is organized
diff --git a/windows/deployment/update/update-compliance-schema.md b/windows/deployment/update/update-compliance-schema.md
index 2be2ac0e78..a42e7701f0 100644
--- a/windows/deployment/update/update-compliance-schema.md
+++ b/windows/deployment/update/update-compliance-schema.md
@@ -20,6 +20,9 @@ When the visualizations provided in the default experience don't fulfill your re
The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries).
+> [!NOTE]
+> Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics.
+
|Table |Category |Description |
|--|--|--|
|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 09cf255a00..d9207fdefb 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -62,21 +62,19 @@ The following is a breakdown of the different sections available in Update Compl
## Update Compliance data latency
-Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows:
+Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
-Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate at which each type of data is sent from the device and how long it takes to be ready for Update Compliance varies, roughly outlined below.
+The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data.
| Data Type | Data upload rate from device | Data Latency |
|--|--|--|
|WaaSUpdateStatus | Once per day |4 hours |
|WaaSInsiderStatus| Once per day |4 hours |
|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours |
-|WDAVStatus|On signature update|24 hours |
-|WDAVThreat|On threat detection|24 hours |
|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours |
|WUDOStatus|Once per day|12 hours |
-This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh).
+This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours.
## Using Log Analytics
@@ -89,4 +87,4 @@ See below for a few topics related to Log Analytics:
## Related topics
-[Get started with Update Compliance](update-compliance-get-started.md)
\ No newline at end of file
+[Get started with Update Compliance](update-compliance-get-started.md)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index d25d48f473..68b9bc63f3 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -5,7 +5,7 @@ manager: laurawi
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
ms.prod: w10
ms.mktglfcycl: deploy
-
+ms.collection: m365initiative-coredeploy
audience: itpro
author: jaimeo
ms.localizationpriority: medium
@@ -48,7 +48,7 @@ With Windows Update for Business, you can set a device to be on either Windows I
**Release branch policies**
-| Policy | Sets registry key under **HKLM\Software** |
+| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
@@ -73,7 +73,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod
**Policy settings for deferring feature updates**
-| Policy | Sets registry key under **HKLM\Software** |
+| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
@@ -97,7 +97,7 @@ In cases where the pause policy is first applied after the configured start date
**Policy settings for pausing feature updates**
-| Policy | Sets registry key under **HKLM\Software** |
+| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime |
| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
@@ -134,7 +134,7 @@ You can set your system to receive updates for other Microsoft products—known
**Policy settings for deferring quality updates**
-| Policy | Sets registry key under **HKLM\Software** |
+| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
@@ -157,7 +157,7 @@ In cases where the pause policy is first applied after the configured start date
**Policy settings for pausing quality updates**
-| Policy | Sets registry key under **HKLM\Software** |
+| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime |
| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
@@ -207,7 +207,7 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
**Policy settings to exclude drivers**
-| Policy | Sets registry key under **HKLM\Software** |
+| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
@@ -220,7 +220,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
-| BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709) 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel 32: systems take Feature Updates from Semi-annual Channel Note: Other value or absent: receive all applicable updates |
+| BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709) 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel 32: systems take Feature Updates from Semi-Annual Channel Note: Other value or absent: receive all applicable updates |
| DeferQualityUpdates | REG_DWORD | 1: defer quality updatesOther value or absent: don’t defer quality updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
@@ -234,7 +234,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
-| BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709) 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel 32: systems take Feature Updates from Semi-annual Channel Note: Other value or absent: receive all applicable updates |
+| BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709) 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel 32: systems take Feature Updates from Semi-Annual Channel Note: Other value or absent: receive all applicable updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index e4e27a9a8a..d6edc9cf57 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -1,6 +1,5 @@
---
title: Delivery Optimization for Windows 10 updates
-ms.reviewer:
manager: laurawi
description: Delivery Optimization is a peer-to-peer distribution method in Windows 10
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
@@ -10,7 +9,9 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.collection: M365-modern-desktop
+ms.collection:
+- M365-modern-desktop
+- m365initiative-coredeploy
ms.topic: article
---
@@ -74,7 +75,6 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Computers running Windows 10 | 1511 |
| Computers running Server Core installations of Windows Server | 1709 |
| IoT devices | 1803 |
-| HoloLens devices | 1803 |
**Types of download packages supported by Delivery Optimization**
@@ -112,7 +112,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
-**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
+**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
## Reference
@@ -137,7 +137,7 @@ If you set up Delivery Optimization to create peer groups that include devices a
Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
-**What are the requirements if I use a proxy?**: You must allow Byte Range requests. See [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) for details.
+**What are the requirements if I use a proxy?**: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/delivery-optimization-proxy). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update).
**What hostnames should I allow through my firewall to support Delivery Optimization?**:
@@ -193,6 +193,7 @@ If you don’t see any bytes coming from peers the cause might be one of the fol
- Clients aren’t able to reach the Delivery Optimization cloud services.
- The cloud service doesn’t see other peers on the network.
- Clients aren’t able to connect to peers that are offered back from the cloud service.
+- None of the computers on the network are getting updates from peers.
### Clients aren't able to reach the Delivery Optimization cloud services.
@@ -204,7 +205,6 @@ If you suspect this is the problem, try these steps:
3. If **DownloadMode** is 99 it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization hostnames are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
-
### The cloud service doesn't see other peers on the network.
If you suspect this is the problem, try these steps:
@@ -223,6 +223,15 @@ If you suspect this is the problem, try a Telnet test between two devices on the
2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run **telnet 192.168.9.17 7680** (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
+### None of the computers on the network are getting updates from peers
+
+If you suspect this is the problem, check Delivery Optimization settings that could limit participation in peer caching. Check whether the following settings in assigned group policies, local group policies, are MDM policies are too restrictive:
+
+- Minimum RAM (inclusive) allowed to use peer caching
+- Minimum disk size allowed to use peer caching
+- Enable peer caching while the device connects using VPN.
+- Allow uploads when the device is on battery while under the set battery level
+
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 9d8afa433e..f473a704b2 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -6,8 +6,7 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 07/27/2017
-ms.reviewer:
+ms.collection: m365initiative-coredeploy
manager: laurawi
ms.topic: article
---
@@ -69,7 +68,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f
- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
-- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server
+- Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server
In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index db7cd77c90..9f7d882387 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -84,7 +84,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
>[!IMPORTANT]
- > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateDoNotConnectToWindowsUpdateInternetLocations
+ > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 0f27e47a7e..a656c096f6 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -101,7 +101,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
-With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index e9be73508c..703e8f93bf 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -52,10 +52,8 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
>[!IMPORTANT]
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
-**To assign a single devices locally to the Semi-Annual Channel**
-
-1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
-2. Select **Defer feature updates**.
+>[!NOTE]
+>Devices will automatically recieve updates from the Semi-Annual Channel, unless they are configured to recieve preview updates through the Windows Insider Program.
**To assign devices to the Semi-Annual Channel by using Group Policy**
@@ -99,7 +97,7 @@ For more information, see [Windows Insider Program for Business](waas-windows-in
## Block access to Windows Insider Program
-To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
+To prevent devices in your organization from being enrolled in the Insider Program for early releases of Windows 10:
- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
@@ -164,10 +162,11 @@ During the life of a device, it might be necessary or desirable to switch betwee
## Block user access to Windows Update settings
In Windows 10, administrators can control user access to Windows Update.
-By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
+
+Administrators can disable the "Check for updates" option for users by enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features** . Any background update scans, downloads and installations will continue to work as configured. We don't recomment this setting if you have configured the device to "notify" to download or install as this policy will prevent the user from being able to do so.
>[!NOTE]
-> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
+> Starting with Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported.
## Steps to manage updates for Windows 10
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index ae0773920a..737657aea5 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -9,6 +9,7 @@ ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.collection: m365initiative-coredeploy
---
# Prepare servicing strategy for Windows 10 updates
@@ -29,9 +30,9 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex
Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
-- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
+- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-Annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
-- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
+- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL folder of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
@@ -43,7 +44,7 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which
Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
-2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
+2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-Annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index fc80d55002..5c22b5cd47 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
+ms.collection: m365initiative-coredeploy
manager: laurawi
ms.topic: article
---
@@ -59,7 +59,7 @@ Both Windows 10 feature and quality updates are automatically offered to devices
To enable Microsoft Updates use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**.
-Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy.
+Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy.
We also recommend that you allow Microsoft product updates as discussed previously.
@@ -138,7 +138,7 @@ When you set these policies, installation happens automatically at the specified
We recommend that you use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts** for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart.
-This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardles of active hours.
+This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose:
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index bf3f571358..81138d6e5b 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -62,7 +62,7 @@ The Settings UI is talking to the Update Orchestrator service which in turn is t
- Windows Update
## Feature updates are not being offered while other updates are
-On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered.
+Devices running Windows 10, version 1709 through Windows 10, version 1803 that are [configured to update from Windows Update](#BKMK_DCAT) (including Windows Update for Business scenarios) are able to install servicing and definition updates but are never offered feature updates.
Checking the WindowsUpdate.log reveals the following error:
```console
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index fa2817f19b..445b6d5c18 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -3,7 +3,7 @@ title: Quick fixes - Windows IT Pro
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Learn how to quickly resolve many problems which may come up during a Windows 10 upgrade.
+description: Learn how to quickly resolve many problems, which may come up during a Windows 10 upgrade.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
ms.mktglfcycl: deploy
@@ -38,6 +38,7 @@ The Microsoft Virtual Agent provided by [Microsoft Support](https://support.micr
- Check the system drive for errors and attempt repairs. More information.
- Run the Windows Update troubleshooter. More information.
- Attempt to restore and repair system files. More information.
+- Check for unsigned drivers and update or repair them. More information.
- Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
- Temporarily uninstall non-Microsoft antivirus software.
More information.
@@ -152,9 +153,78 @@ To check and repair system files:
```
> [!NOTE]
- > It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
+ > It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image) and [Use the System File Checker tool](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system).
+### Repair unsigned drivers
+
+[Drivers](https://docs.microsoft.com/windows-hardware/drivers/gettingstarted/what-is-a-driver-) are files ending in *.dll or *.sys that are used to communicate with hardware components. Because drivers are so important, they are cryptographically signed to ensure they are genuine. Drivers with a *.sys extension that are not properly signed frequently block the upgrade process. Drivers might not be properly signed if you:
+- Disabled driver signature verification (highly not recommended).
+- A catalog file used to sign a driver is corrupt or missing.
+
+ Catalog files (files with a *.cat extension) are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver. All drivers should be signed to ensure the upgrade process works.
+
+To check your system for unsigned drivers:
+
+1. Click **Start**.
+2. Type **command**.
+3. Right-click **Command Prompt** and then left-click **Run as administrator**.
+4. If you are prompted by UAC, click **Yes**.
+5. Type **sigverif** and press ENTER.
+6. The File Signature Verification tool will open. Click **Start**.
+
+ 
+
+7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers.
+8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired.
+9. Locate drivers in the log file that are unsigned, write down the location and file names. Also write down the catalog that is associated to the driver if it is provided. If the name of a catalog file is not provided you might need to analyze another device that has the same driver with sigverif and sigcheck (described below).
+10. The next step is to check that the driver reported as unsigned by sigverif.exe has a problem. In some cases, sigverif.exe might not be successful at locating the catalog file used to sign a driver, even though the catalog file exists. To perform a detailed driver check, download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**.
+
+ [Sigcheck](https://docs.microsoft.com/sysinternals/downloads/sigcheck) is a tool that you can download and use to review digital signature details of a file. To use sigcheck:
+
+11. In the command window, use the **cd** command to switch to the directory where you extracted sigcheck, for example **cd c:\sigcheck**.
+12. Using the list of unsigned drivers and their associated paths that you obtained from the File Signature Verification tool, run sigcheck to obtain details about the driver, including the catalog file used for signing. Type **sigcheck64 -i \** and press ENTER (or sigcheck -i for a 32 bit OS). See the following example:
+ ```
+ C:\Sigcheck>sigcheck64.exe -i c:\windows\system32\drivers\afd.sys
+
+ Sigcheck v2.80 - File version and signature viewer
+ Copyright (C) 2004-2020 Mark Russinovich
+ Sysinternals - www.sysinternals.com
+
+ c:\windows\system32\drivers\afd.sys:
+ Verified: Signed
+ Signing date: 6:18 PM 11/29/2017
+ Signing date: 6:18 PM 11/29/2017
+ Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat
+ Signers:
+ Microsoft Windows
+ Cert Status: This certificate or one of the certificates in the certificate chain is not time valid.
+ Valid Usage: NT5 Crypto, Code Signing
+ Cert Issuer: Microsoft Windows Verification PCA
+ Serial Number: 33 00 00 00 4B 76 63 2D 24 A2 39 9A 8B 00 01 00 00 00 4B
+ Thumbprint: B8037C46D0DB7A8CEE502407469B0EE3234D3365
+ Algorithm: sha1RSA
+ Valid from: 11:46 AM 3/1/2017
+ Valid to: 11:46 AM 5/9/2018
+ (output truncated)
+ ```
+ In the example above, the afd.sys driver is properly signed by the catalog file Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat.
+
+
+13. Optionally, you can generate a list of drivers using driverquery.exe, which is included with Windows. To save a list of signed and unsigned drivers with driverquery, type **driverquery /si > c:\drivers.txt** and press ENTER. See the following example:
+
+ ```cmd
+ C:\>Driverquery /si
+
+ DeviceName InfName IsSigned Manufacturer
+ ============================== ============= ======== =========================
+ Microsoft ISATAP Adapter nettun.inf TRUE Microsoft
+ Generic volume shadow copy volsnap.inf TRUE Microsoft
+ Generic volume volume.inf TRUE Microsoft
+ (truncated)
+ ```
+ For more information about using driverquery, see [Two Minute Drill: DriverQuery.exe](https://techcommunity.microsoft.com/t5/ask-the-performance-team/two-minute-drill-driverquery-exe/ba-p/374977) and [driverquery](https://docs.microsoft.com/windows-server/administration/windows-commands/driverquery).
+
### Update Windows
You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer.
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index a96205d6fd..1d75d19367 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -36,7 +36,7 @@ A frequently observed [result code](upgrade-error-codes.md#result-codes) is 0xC1
The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).
-To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process.
+To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. Also check to be sure that your drivers are properly signed. For more information, see [Remove unsigned drivers](quick-fixes.md#repair-unsigned-drivers).
See the following general troubleshooting procedures associated with a result code of 0xC1900101:
@@ -49,7 +49,7 @@ See the following general troubleshooting procedures associated with a result co
| 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. |
| 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
This can occur due to a problem with a display driver. |
| 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code.
The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example is not representative of all cases:
Info SP Crash 0x0000007E detected
Info SP Module name :
Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
Info SP Cannot recover the system.
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
1. Make sure you have enough disk space.
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
3. Try changing video adapters.
4. Check with your hardware vendor for any BIOS updates.
5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.
Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This can occur because of incompatible drivers. |
-| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Ensure that you select the option to "Download and install updates (recommended)."
Computers that run Citrix VDA
You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
**Resolution**
To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
You can work around this problem in two ways:
**Workaround 1**
1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
2. Run the Windows upgrade again.
3. Reinstall Citrix VDA.
**Workaround 2**
If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
1. In Registry Editor, go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
3. Go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
4. Delete the **CtxMcsWbc** entry.
5. Restart the computer, and then try the upgrade again.
**Non-Microsoft information disclaimer**
The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. |
+| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Ensure that you select the option to "Download and install updates (recommended)." Also be sure to [remove unsigned drivers](quick-fixes.md#repair-unsigned-drivers).
Computers that run Citrix VDA
You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
**Resolution**
To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
You can work around this problem in two ways:
**Workaround 1**
1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
2. Run the Windows upgrade again.
3. Reinstall Citrix VDA.
**Workaround 2**
If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
1. In Registry Editor, go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
3. Go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
4. Delete the **CtxMcsWbc** entry.
5. Restart the computer, and then try the upgrade again.
**Non-Microsoft information disclaimer**
The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. |
## 0x800xxxxx
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 68924c83f3..c1068fe146 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -20,22 +20,25 @@ ms.topic: article
# Activate using Key Management Service
**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
**Looking for retail activation?**
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/)
+- [Get Help Activating Microsoft Windows 7 or Windows 8.1 ](https://go.microsoft.com/fwlink/p/?LinkId=618644)
There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
-- Host KMS on a computer running Windows 10
-- Host KMS on a computer running Windows Server 2012 R2
-- Host KMS on a computer running an earlier version of Windows
+
+- Host KMS on a computer running Windows 10
+- Host KMS on a computer running Windows Server 2012 R2
+- Host KMS on a computer running an earlier version of Windows
Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/).
@@ -43,14 +46,15 @@ Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.co
Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
-To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
+To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services.
-**Configure KMS in Windows 10**
+### Configure KMS in Windows 10
+
+To activate, use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
-To activate , use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
- To install the KMS key, type `slmgr.vbs /ipk `.
- To activate online, type `slmgr.vbs /ato`.
-- To activate by telephone , follow these steps:
+- To activate by telephone, follow these steps:
1. Run `slmgr.vbs /dti` and confirm the installation ID.
2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
@@ -59,51 +63,51 @@ To activate , use the slmgr.vbs command. Open an elevated command prompt and run
For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
## Key Management Service in Windows Server 2012 R2
+
Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
-**Note**
-You cannot install a client KMS key into the KMS in Windows Server.
+> [!NOTE]
+> You cannot install a client KMS key into the KMS in Windows Server.
This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
-**Note**
+> [!NOTE]
+> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
-If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
-
-**Configure KMS in Windows Server 2012 R2**
+### Configure KMS in Windows Server 2012 R2
1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
2. Launch Server Manager.
3. Add the Volume Activation Services role, as shown in Figure 4.
-
- **Figure 4**. Adding the Volume Activation Services role in Server Manager\
-
+
+ **Figure 4**. Adding the Volume Activation Services role in Server Manager
+
4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
-
+
**Figure 5**. Launching the Volume Activation Tools
- 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
+5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
-
+
-
+
**Figure 6**. Configuring the computer as a KMS host
-
-5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
+
+6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
-
+
**Figure 7**. Installing your KMS host key
-
-6. If asked to confirm replacement of an existing key, click **Yes**.
-7. After the product key is installed, you must activate it. Click **Next** (Figure 8).
+
+7. If asked to confirm replacement of an existing key, click **Yes**.
+8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
-
+
**Figure 8**. Activating the software
The KMS key can be activated online or by phone. See Figure 9.
@@ -123,25 +127,27 @@ You can verify KMS volume activation from the KMS host server or from the client
To verify that KMS volume activation works, complete the following steps:
-1. On the KMS host, open the event log and confirm that DNS publishing is successful.
-2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
-The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
-3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.
+1. On the KMS host, open the event log and confirm that DNS publishing is successful.
+2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
-The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+ The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
+3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER.
-For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639).
+ The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+
+For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
## Key Management Service in earlier versions of Windows
If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
-1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
-2. Request a new KMS host key from the Volume Licensing Service Center.
-3. Install the new KMS host key on your KMS host.
-4. Activate the new KMS host key by running the slmgr.vbs script.
+1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
+2. Request a new KMS host key from the Volume Licensing Service Center.
+3. Install the new KMS host key on your KMS host.
+4. Activate the new KMS host key by running the slmgr.vbs script.
For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
## See also
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 5152af65fe..45619726e9 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -19,24 +19,26 @@ ms.topic: article
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
-**Note**
-VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+> [!NOTE]
+> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
## In this Topic
-- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
-- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
-- [Enterprise Environment](#bkmk-enterpriseenvironment)
-- [VAMT User Interface](#bkmk-userinterface)
+
+- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
+- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
+- [Enterprise Environment](#bkmk-enterpriseenvironment)
+- [VAMT User Interface](#bkmk-userinterface)
## Managing Multiple Activation Key (MAK) and Retail Activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
-- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+
+- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
## Managing Key Management Service (KMS) Activation
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\
VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
## Enterprise Environment
@@ -55,13 +57,13 @@ The following screenshot shows the VAMT graphical user interface.
VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
-- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
-- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
-- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
-- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
-- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+
+- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
+- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
+- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
## Related topics
+
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
diff --git a/windows/docfx.json b/windows/docfx.json
index 4661aaf2be..48b05bb454 100644
--- a/windows/docfx.json
+++ b/windows/docfx.json
@@ -17,6 +17,7 @@
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",
+ "uhfHeaderId": "MSDocsHeader-M365-IT",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.windows"
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 1b9bb407c6..25ef07d002 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,4 +1,4 @@
-# [Windows 10](index.md)
+# [Windows 10](index.yml)
## [What's new](/windows/whats-new)
## [Release information](/windows/release-information)
## [Deployment](/windows/deployment)
diff --git a/windows/hub/index.md b/windows/hub/index.md
deleted file mode 100644
index b34eb9cf48..0000000000
--- a/windows/hub/index.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Windows 10
-description: Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
-ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
-ms.prod: w10
-ms.localizationpriority: high
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.reviewer: dansimp
-manager: dansimp
----
-
-# Windows 10
-
-Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
-
-
-
-## Check out [what's new in Windows 10, version 2004](/windows/whats-new/whats-new-windows-10-version-2004).
-
-
-
->[!TIP]
-> Looking for information about older versions of Windows? Check out our other [Windows libraries](/previous-versions/windows/) on docs.microsoft.com. You can also search this site to find specific information, like this [Windows 8.1 content](https://docs.microsoft.com/search/index?search=Windows+8.1&dataSource=previousVersions).
-
-## Get to know Windows as a Service (WaaS)
-
-The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
-
-These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
-
-- [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
\ No newline at end of file
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
new file mode 100644
index 0000000000..0ac1aa5523
--- /dev/null
+++ b/windows/hub/index.yml
@@ -0,0 +1,115 @@
+### YamlMime:Landing
+
+title: Windows 10 resources and documentation for IT Pros # < 60 chars
+summary: Plan, deploy, secure, and manage devices running Windows 10. # < 160 chars
+
+metadata:
+ title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars.
+ services: windows-10
+ ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.subservice: subservice
+ ms.topic: landing-page # Required
+ ms.collection: windows-10
+ author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
+ ms.author: greglin #Required; microsoft alias of author; optional team alias.
+ ms.date: 09/23/2020 #Required; mm/dd/yyyy format.
+ localization_priority: medium
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: What's new
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: What's new in Windows 10, version 2004
+ url: /windows/whats-new/whats-new-windows-10-version-2004
+ - text: What's new in Windows 10, version 1909
+ url: /windows/whats-new/whats-new-windows-10-version-1909
+ - text: What's new in Windows 10, version 1903
+ url: /windows/whats-new/whats-new-windows-10-version-1903
+ - text: Windows 10 release information
+ url: https://docs.microsoft.com/windows/release-information/
+
+ # Card (optional)
+ - title: Configuration
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Configure Windows 10
+ url: /windows/configuration/index
+ - text: Accesasibility information for IT Pros
+ url: /windows/configuration/windows-10-accessibility-for-itpros
+ - text: Configure access to Microsoft Store
+ url: /windows/configuration/stop-employees-from-using-microsoft-store
+ - text: Set up a shared or guest PC
+ url: /windows/configuration/set-up-shared-or-guest-pc
+
+ # Card (optional)
+ - title: Deployment
+ linkLists:
+ - linkListType: deploy
+ links:
+ - text: Deploy and update Windows 10
+ url: /windows/deployment/index
+ - text: Windows 10 deployment scenarios
+ url: /windows/deployment/windows-10-deployment-scenarios
+ - text: Create a deployment plan
+ url: /windows/deployment/update/create-deployment-plan
+ - text: Prepare to deploy Windows 10
+ url: /windows/deployment/update/prepare-deploy-windows
+
+
+ # Card
+ - title: App management
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Windows 10 application management
+ url: /windows/application-management/index
+ - text: Understand the different apps included in Windows 10
+ url: /windows/application-management/apps-in-windows-10
+ - text: Get started with App-V for Windows 10
+ url: /windows/application-management/app-v/appv-getting-started
+ - text: Keep removed apps from returning during an update
+ url: /windows/application-management/remove-provisioned-apps-during-update
+
+ # Card
+ - title: Client management
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Windows 10 client management
+ url: /windows/client-management/index
+ - text: Administrative tools in Windows 10
+ url: /windows/client-management/administrative-tools-in-windows-10
+ - text: Create mandatory user profiles
+ url: /windows/client-management/mandatory-user-profile
+ - text: New policies for Windows 10
+ url: /windows/client-management/new-policies-for-windows-10
+
+ # Card (optional)
+ - title: Security and Privacy
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Windows 10 Enterprise Security
+ url: /windows/security/index
+ - text: Windows Privacy
+ url: /windows/privacy/index
+ - text: Identity and access management
+ url: /windows/security/identity-protection/index
+ - text: Threat protection
+ url: /windows/security/threat-protection/index
+ - text: Information protection
+ url: /windows/security/information-protection/index
+ - text: Required diagnostic data
+ url: /windows/privacy/required-windows-diagnostic-data-events-and-fields-2004
+ - text: Optional diagnostic data
+ url: /windows/privacy/windows-diagnostic-data
+ - text: Changes to Windows diagnostic data collection
+ url: /windows/privacy/changes-to-windows-diagnostic-data-collection
diff --git a/windows/hub/windows-10.yml b/windows/hub/windows-10.yml
deleted file mode 100644
index 822259efbd..0000000000
--- a/windows/hub/windows-10.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10
-metadata:
- title: Windows 10
- description: Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization.
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: medium
- author: lizap
- ms.author: elizapo
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization.
- "
-- title: Explore
-- items:
- - type: markdown
- text: "
- Get started with Windows 10. Evaluate free for 90 days and set up virtual labs to test a proof of concept.
- 
**Download a free 90-day evaluation**
Try the latest features. Test your apps, hardware, and deployment strategies.
Start evaluation | 
**Get started with virtual labs**
Try setup, deployment, and management scenarios in a virtual environment, with no additional software or setup required.
See Windows 10 labs | 
**Conduct a proof of concept**
Download a lab environment with MDT, Configuration Manager, Windows 10, and more.
Get deployment kit |
-
- "
-- title: What's new
-- items:
- - type: markdown
- text: "
- Learn about the latest releases and servicing options.
-
- "
-- title: Frequently asked questions
-- items:
- - type: markdown
- text: "
- Get answers to common questions, or get help with a specific problem.
-
- "
-- title: Plan
-- items:
- - type: markdown
- text: "
- Prepare to deploy Windows 10 in your organization. Explore deployment methods, compatibility tools, and servicing options.
-
- "
-- title: Deploy
-- items:
- - type: markdown
- text: "
- Download recommended tools and get step-by-step guidance for in-place upgrades, dynamic provisioning, or traditional deployments.
-
- "
-- title: Management and security
-- items:
- - type: markdown
- text: "
- Learn how to manage Windows 10 clients and apps, secure company data, and manage risk.
-
- "
-- title: Stay informed
-- items:
- - type: markdown
- text: "
- Stay connected with Windows 10 experts, your colleagues, business trends, and IT pro events.
- 
**Sign up for the Windows IT Pro Insider**
Find out about new resources and get expert tips and tricks on deployment, management, security, and more.
Learn more | 
**Follow us on Twitter**
Keep up with the latest desktop and device trends, Windows news, and events for IT pros.
Visit Twitter | 
**Join the Windows Insider Program for Business**
Get early access to new builds and provide feedback on the latest features and functionalities.
Get started |
-
- "
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index d0d7ff467f..90ab13ce23 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -95,6 +95,8 @@ The following methodology was used to derive the network endpoints:
|wdcp.microsoft.com|HTTPS|Used for Windows Defender when Cloud-based Protection is enabled
|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows
|adl.windows.com|HTTP|Used for compatibility database updates for Windows
+|spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile
+|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.
## Windows 10 Pro
@@ -159,6 +161,8 @@ The following methodology was used to derive the network endpoints:
|windows.policies.live.net|HTTP|OneDrive
|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows
|adl.windows.com|HTTP|Used for compatibility database updates for Windows
+|spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile
+|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.
## Windows 10 Education
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index d1b2905bad..ab00e42eba 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -33,7 +33,6 @@
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows",
"ms.topic": "article",
"manager": "dansimp",
"audience": "ITPro",
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 48f324427e..b14254b22a 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -186,7 +186,7 @@ This group includes all domain controllers in an Active Directory forest. Domain
All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
-On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed).
+On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
Membership is controlled by the operating system.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index cdf9c3ec9a..ec08c99def 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -12,29 +12,30 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
-ms.date: 01/12/2018
+ms.date: 09/30/2020
ms.reviewer:
---
# Windows Defender Credential Guard: Requirements
-**Applies to**
-- Windows 10
-- Windows Server 2016
+## Applies to
+- Windows 10
+- Windows Server 2016
-For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
-
+For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
## Hardware and software requirements
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
+
- Support for Virtualization-based security (required)
- Secure boot (required)
-- TPM (preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware
+- Trusted Platform Module (TPM, preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware
- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
The Virtualization-based security requires:
+
- 64-bit CPU
- CPU virtualization extensions plus extended page tables
- Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
@@ -47,6 +48,7 @@ Credential Guard can protect secrets in a Hyper-V virtual machine, just as it wo
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
+ - TPM is not a requirement, but we recommend that you implement TPM.
For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/).
@@ -57,19 +59,21 @@ For information about Windows Defender Remote Credential Guard hardware and soft
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
>[!WARNING]
-> Enabling Windows Defender Credential Guard on domain controllers is not supported.
+> Enabling Windows Defender Credential Guard on domain controllers is not supported.
> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
>[!NOTE]
> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
Applications will break if they require:
+
- Kerberos DES encryption support
- Kerberos unconstrained delegation
- Extracting the Kerberos TGT
- NTLMv1
Applications will prompt and expose credentials to risk if they require:
+
- Digest authentication
- Credential delegation
- MS-CHAPv2
@@ -86,52 +90,66 @@ The following tables describe baseline protections, plus protections for improve
> [!NOTE]
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
->
+>
> If you are an OEM, see [PC OEM requirements for Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
### Baseline protections
-|Baseline Protections | Description | Security benefits
+|Baseline Protections|Description|Security benefits
|---|---|---|
-| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
-| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 or Windows Server 2016.
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
+|Hardware: **64-bit CPU** |A 64-bit computer is required for the Windows hypervisor to provide VBS.|
+|Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**: - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.|
+|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
+|Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
+|Firmware: **Secure firmware update process**|**Requirements**: - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
+|Software: Qualified **Windows operating system**|**Requirement**: - Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
+
+> [!IMPORTANT]
+> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
-
### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
-| Protections for Improved Security | Description |
-|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. |
-| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation |
-
-
+|Protections for Improved Security|Description|
+|---|---|
+|Hardware: **IOMMU** (input/output memory management unit)|**Requirement**: - VT-D or AMD Vi IOMMU **Security benefits**: - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables)|
+|Firmware: **Securing Boot Configuration and Management**|**Requirements**: - BIOS password or stronger authentication must be supported. - In the BIOS configuration, BIOS authentication must be set. - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
+|Firmware: **Secure MOR, revision 2 implementation**|**Requirement**: - Secure MOR, revision 2 implementation|
### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
-| Protections for Improved Security | Description |Security Benefits |
+|Protections for Improved Security|Description|Security Benefits|
|---|---|---|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/library/windows/hardware/mt712332(v=vs.85).aspx). | Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software. | • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-
-
+|Firmware: **Hardware Rooted Trust Platform Secure Boot**|**Requirements**: - Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/library/windows/hardware/mt712332(v=vs.85).aspx).|Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. - HSTI provides additional security assurance for correctly secured silicon and platform.|
+|Firmware: **Firmware Update through Windows Update**|**Requirements**: - Firmware must support field updates through Windows Update and UEFI encapsulation update.|Helps ensure that firmware updates are fast, secure, and reliable.|
+|Firmware: **Securing Boot Configuration and Management**|**Requirements**: - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time. - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.|- Enterprises can choose to allow proprietary EFI drivers/applications to run. - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots.|
### 2017 Additional security qualifications starting with Windows 10, version 1703
The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
-| Protections for Improved Security | Description | Security Benefits
+|Protections for Improved Security|Description|Security Benefits
|---|---|---|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. | • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
+|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**: - VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements: - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. - PE sections must be page-aligned in memory (not required for in non-volatile storage). - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both. - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) - Reduces the attack surface to VBS from system firmware.|
+|Firmware: **Firmware support for SMM protection**|**Requirements**: - The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) - Reduces the attack surface to VBS from system firmware. - Blocks additional security attacks against SMM.|
+
+> [!IMPORTANT]
+>
+>Regarding **VBS enablement of NX protection for UEFI runtime services**:
+>
+> - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
+>
+> - This protection is applied by VBS on OS page tables.
+>
+> Please also note the following:
+>
+> - Do not use sections that are both writeable and executable
+>
+> - Do not attempt to directly modify executable system memory
+>
+> - Do not use dynamic code
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
index e6d36e6967..b5dfff553e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -75,6 +75,7 @@ Communicating with Azure Active Directory uses the following URLs:
- enterpriseregistration.windows.net
- login.microsoftonline.com
- login.windows.net
+- account.live.com
If your environment uses Microsoft Intune, you need these additional URLs:
- enrollment.manage.microsoft.com
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 8a785dcf5f..a0855330fb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -95,8 +95,7 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
-> * The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store.
-> * If you are using a 3rd party CA, add the certificate to the NTAuth store. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
+> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
### Enrollment Agent certificate template
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index ce98019039..3bd0bbe112 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -39,7 +39,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
2. Click the **Users** container in the navigation pane.
3. Right-click **Key Admins** in the details pane and click **Properties**.
4. Click the **Members** tab and click **Add**
-5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**.
+5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**.
6. Click **OK** to return to **Active Directory Users and Computers**.
### Section Review
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index df414d1e79..fc09e68a62 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -48,44 +48,54 @@ The following client-side components are also required:
- Trusted Platform Module (TPM)
## VPN device compliance
+
At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
Server-side infrastructure requirements to support VPN device compliance include:
-- The VPN server should be configured for certificate authentication
-- The VPN server should trust the tenant-specific Azure AD CA
-- For client access using Kerberos/NTLM, a domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO)
+- The VPN server should be configured for certificate authentication.
+- The VPN server should trust the tenant-specific Azure AD CA.
+- For client access using Kerberos/NTLM, a domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO).
After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
Two client-side configuration service providers are leveraged for VPN device compliance.
-- VPNv2 CSP DeviceCompliance settings
+- VPNv2 CSP DeviceCompliance settings:
+
- **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
- **Sso**: entries under SSO should be used to direct the VPN client to use a certificate other than the VPN authentication certificate when accessing resources that require Kerberos authentication.
- **Sso/Enabled**: if this field is set to **true**, the VPN client looks for a separate certificate for Kerberos authentication.
- **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
- **Sso/Eku**: comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication.
+
- HealthAttestation CSP (not a requirement) - functions performed by the HealthAttestation CSP include:
+
- Collects TPM data used to verify health states
- Forwards the data to the Health Attestation Service (HAS)
- Provisions the Health Attestation Certificate received from the HAS
- Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
->[!NOTE]
->Currently, it is required that certificates be issued from an on-premises CA, and that SSO be enabled in the user’s VPN profile. This will enable the user to obtain Kerberos tickets in order to access resources on-premises. Kerberos currently does not support the use of Azure AD certificates.
+> [!NOTE]
+> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources.
## Client connection flow
+
The VPN client side connection flow works as follows:
-
+> [!div class="mx-imgBorder"]
+> 
When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow:
1. The VPN client calls into Windows 10’s Azure AD Token Broker, identifying itself as a VPN client.
+
2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
-3. If compliant, Azure AD requests a short-lived certificate
+
+3. If compliant, Azure AD requests a short-lived certificate.
+
4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
+
5. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
## Configure conditional access
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 73946540c5..7f89a245b5 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -458,7 +458,7 @@ contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,conto
Value format without proxy:
```console
-contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
+contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com,
```
### Protected domains
@@ -593,7 +593,7 @@ After you've decided where your protected apps can access enterprise data on you
**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp).
-- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy.
+- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files.
If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access.
@@ -622,7 +622,7 @@ You can restrict which files are protected by WIP when they are downloaded from
- [What is Azure Rights Management?](https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms)
-- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/intune/deploy-use/create-windows-information-protection-policy-with-intune)
+- [Create a Windows Information Protection (WIP) protection policy using Microsoft Intune](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index a099742145..ebe3c59220 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -73,6 +73,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft Remote Desktop
+- Microsoft To Do
+
> [!NOTE]
> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
@@ -113,6 +115,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
| Microsoft MAPI Repair Tool | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** fixmapi.exe
**App Type:** Desktop app |
+| Microsoft To Do | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Todos
**App Type:** Store app |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 0de8771fac..9af557f950 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -59,7 +59,7 @@ To help address this security insufficiency, companies developed data loss preve
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
-Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
+Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
@@ -90,7 +90,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+ - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 9f33cfa052..f69cdfadb5 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -26,18 +26,23 @@
## [Migration guides](microsoft-defender-atp/migration-guides.md)
-### [Switch from McAfee to Microsoft Defender ATP]()
-#### [Get an overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
-#### [Prepare for your migration](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md)
-#### [Set up Microsoft Defender ATP](microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md)
-#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md)
-### [Switch from Symantec to Microsoft Defender ATP]()
-#### [Get an overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
-#### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
-#### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
-#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
-### [Manage Microsoft Defender ATP after migration]()
-#### [Overview](microsoft-defender-atp/manage-atp-post-migration.md)
+### [Switch from McAfee to Microsoft Defender for Endpoint]()
+#### [Overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
+#### [Phase 1: Prepare](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md)
+#### [Phase 2: Setup](microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md)
+#### [Phase 3: Onboard](microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md)
+### [Switch from Symantec to Microsoft Defender for Endpoint]()
+#### [Overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
+#### [Phase 1: Prepare](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
+#### [Phase 2: Setup](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
+#### [Phase 3: Onboard](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
+### [Switch from your non-Microsoft endpoint security solution to Microsoft Defender for Endpoint]()
+#### [Overview of migration](microsoft-defender-atp/switch-to-microsoft-defender-migration.md)
+#### [Phase 1: Prepare](microsoft-defender-atp/switch-to-microsoft-defender-prepare.md)
+#### [Phase 2: Setup](microsoft-defender-atp/switch-to-microsoft-defender-setup.md)
+#### [Phase 3: Onboard](microsoft-defender-atp/switch-to-microsoft-defender-onboard.md)
+### [Manage Microsoft Defender for Endpoint after migration]()
+#### [Overview of managing Microsoft Defender for Endpoint](microsoft-defender-atp/manage-atp-post-migration.md)
#### [Intune (recommended)](microsoft-defender-atp/manage-atp-post-migration-intune.md)
#### [Configuration Manager](microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md)
#### [Group Policy Objects](microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md)
@@ -251,9 +256,17 @@
#### [Resources](microsoft-defender-atp/mac-resources.md)
+
+
### [Microsoft Defender Advanced Threat Protection for iOS]()
#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
+#### [Deploy]()
+##### [App-based deployment](microsoft-defender-atp/ios-install.md)
+
+#### [Configure]()
+##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
+
### [Microsoft Defender Advanced Threat Protection for Linux]()
#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
@@ -531,6 +544,7 @@
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
+####### [Set device value](microsoft-defender-atp/set-device-value.md)
###### [Machine Action]()
####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
@@ -695,7 +709,7 @@
##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
-
+#### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 1ce7884399..2893cf7ece 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -42,7 +42,7 @@ Configuring policy settings in this category can help you document attempts to a
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
-- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+- [Audit Other Account Logon Events](audit-other-account-logon-events.md)
## Account Management
@@ -150,8 +150,8 @@ Auditors will be able to prove that every resource in the system is protected by
Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
-> **Note:** If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object
-Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
+> [!NOTE]
+> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 84cf52d450..220876b84a 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -166,7 +166,7 @@ This event generates on domain controllers, member servers, and workstations.
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | This is either due to a bad username or authentication information |
- | 0XC000006E | Unknown user name or bad password. |
+ | 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
@@ -284,7 +284,7 @@ For 4625(F): An account failed to log on.
- Monitor for all events with the fields and values in the following table:
- | **Field** | Value to monitor for |
+ | Field | Value to monitor for |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index 6ae2dcfe4c..a5f4583231 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -43,7 +43,7 @@ A fully fileless malware can be considered one that never requires writing a fil
A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples don't require a file on the disk to run, and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls.
-Infections of this type can be extra difficult deal with because antivirus products usually don’t have the capability to inspect firmware. Even if they did, it would be extremely challenging to detect and remediate threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It’s not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks.
+Infections of this type can be particularly difficult to detect because most antivirus products don’t have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It’s not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks.
## Type II: Indirect file activity
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index ca821701f2..8d013685ee 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -1,7 +1,7 @@
---
title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
@@ -25,7 +25,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
+This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
> [!NOTE]
> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
@@ -54,7 +54,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
> [!NOTE]
-> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
+> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
@@ -78,7 +78,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation
Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
-When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path:
+When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
```Dos
\\MpSupport--.cab
@@ -86,13 +86,30 @@ When the SupportLogLocation parameter is used, a folder structure as below will
| field | Description |
|:----|:----|
-| path | The path as specified on the commandline or retrieved from configuration
-| MMDD | Month Day when the diagnostic data was collected (eg 0530)
-| hostname | the hostname of the device on which the diagnostic data was collected.
-| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422)
+| path | The path as specified on the command line or retrieved from configuration
+| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
+| hostname | The hostname of the device on which the diagnostic data was collected
+| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
> [!NOTE]
-> When using a File share please make sure that account used to collect the diagnostic package has write access to the share.
+> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
+
+## Specify location where diagnostic data is created
+
+You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO).
+
+1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
+
+1. Select **Define the directory path to copy support log files**.
+
+ 
+
+ 
+3. Inside the policy editor, select **Enabled**.
+
+4. Specify the directory path where you want to copy the support log files in the **Options** field.
+ 
+5. Select **OK** or **Apply**.
## See also
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
index 93b12016f3..ee3e692d4a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -59,8 +59,8 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif
Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
->[!NOTE]
->If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
+> [!NOTE]
+> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.
## Use PowerShell to configure scanning options
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png
new file mode 100644
index 0000000000..7f5019db43
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png
new file mode 100644
index 0000000000..f93b4ad4dc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png
new file mode 100644
index 0000000000..bf839465f9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png
new file mode 100644
index 0000000000..6d5d59ee31
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png
new file mode 100644
index 0000000000..e4b306fd92
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 514ee0334b..d352e882bd 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
-ms.date: 09/10/2020
+ms.date: 10/08/2020
---
# Manage Microsoft Defender Antivirus updates and apply baselines
@@ -33,38 +33,73 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
> [!IMPORTANT]
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-> [!NOTE]
+>
> You can use the below URL to find out what are the current versions:
> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info)
## Security intelligence updates
-Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
+Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
-The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
+> [!NOTE]
+> Updates are released under the below KB numbers:
+> Microsoft Defender Antivirus: KB2267602
+> System Center Endpoint Protection: KB2461484
-Engine updates are included with the security intelligence updates and are released on a monthly cadence.
+Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
+
+Engine updates are included with security intelligence updates and are released on a monthly cadence.
## Product updates
-Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
+Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as *platform updates*), and will receive major feature updates alongside Windows 10 releases.
+
+You can manage the distribution of updates through one of the following methods:
+
+- [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus)
+- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction)
+- The usual method you use to deploy Microsoft and Windows updates to endpoints in your network.
-You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
> [!NOTE]
-> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server.
+> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server.
## Monthly platform and engine versions
-For information how to update or how to install the platform update, please see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
+For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
All our updates contain:
-* performance improvements
-* serviceability improvements
-* integration improvements (Cloud, MTP)
+- performance improvements
+- serviceability improvements
+- integration improvements (Cloud, Microsoft 365 Defender)
+
+
+
+ September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)
+
+ Security intelligence update version: **1.325.10.0**
+ Released: **October 01, 2020**
+ Platform: **4.18.2009.7**
+ Engine: **1.1.17500.4**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+- Admin permissions are required to restore files in quarantine
+- XML formatted events are now supported
+- CSP support for ignoring exclusion merge
+- New management interfaces for:
+ - UDP Inspection
+ - Network Protection on Server 2019
+ - IP Address exclusions for Network Protection
+- Improved visibility into TPM measurements
+- Improved Office VBA module scanning
+
+### Known Issues
+No known issues
+
+
August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)
@@ -75,11 +110,14 @@ All our updates contain:
Support phase: **Security and Critical Updates**
### What's new
-* Add more telemetry events
-* Improved scan event telemetry
-* Improved behavior monitoring for memory scans
-* Improved macro streams scanning
-* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
+
+- Add more telemetry events
+- Improved scan event telemetry
+- Improved behavior monitoring for memory scans
+- Improved macro streams scanning
+- Added `AMRunningMode` to Get-MpComputerStatus PowerShell cmdlet
+- [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.
+
### Known Issues
No known issues
@@ -111,7 +149,7 @@ No known issues
Released: **June 22, 2020**
Platform: **4.18.2006.10**
Engine: **1.1.17200.2**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade Support (Only)**
### What's new
* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
@@ -159,7 +197,7 @@ No known issues
### What's new
* WDfilter improvements
-* Add more actionable event data to ASR detection events
+* Add more actionable event data to attack surface reduction detection events
* Fixed version information in diagnostic data and WMI
* Fixed incorrect platform version in UI after platform update
* Dynamic URL intel for Fileless threat protection
@@ -184,7 +222,7 @@ No known issues
* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
* Improve diagnostic capability
-* reduce Security intelligence timeout (5min)
+* reduce Security intelligence timeout (5 min)
* Extend AMSI engine internal log capability
* Improve notification for process blocking
@@ -264,8 +302,7 @@ When this update is installed, the device needs the jump package 4.10.2001.10 to
## Microsoft Defender Antivirus platform support
-As stated above, platform and engine updates are provided on a monthly cadence.
-Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version:
+Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:
* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
@@ -293,12 +330,12 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve
Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
-## In this section
+## See also
Article | Description
---|---
[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
-[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on.
+[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next logon.
[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index e598e1bbce..be374197ff 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
-ms.date: 08/26/2020
+ms.date: 09/28/2020
---
# Microsoft Defender Antivirus compatibility
@@ -77,7 +77,7 @@ The following table summarizes the functionality and features that are available
|Automatic disabled mode |No |Yes |No |No |No |
- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
-- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
+- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
@@ -94,6 +94,8 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
> [!WARNING]
> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+> [!IMPORTANT]
+> If you are using [Microsoft endpoint data loss prevention (Endpoint DLP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled even when Microsoft Defender Antivirus is running in passive mode. Endpoint DLP depends on real-time protection to operate.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 6b6a753cf0..6cc3ece08f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -1,6 +1,6 @@
---
title: Protect security settings with tamper protection
-ms.reviewer:
+ms.reviewer: shwjha, hayhov
manager: dansimp
description: Use tamper protection to prevent malicious apps from changing important security settings.
keywords: malware, defender, antivirus, tamper protection
@@ -14,7 +14,7 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 08/31/2020
+ms.date: 10/14/2020
---
# Protect security settings with tamper protection
@@ -25,6 +25,7 @@ ms.date: 08/31/2020
**Applies to:**
- Windows 10
+- Windows Server 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006))
## Overview
@@ -41,7 +42,7 @@ With tamper protection, malicious apps are prevented from taking actions such as
### How it works
- Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
+Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
- Configuring settings in Registry Editor on your Windows machine
- Changing settings through PowerShell cmdlets
@@ -54,6 +55,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
1. Turn tamper protection on
- [For an individual machine, use Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine).
- [For your organization, use Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
+ - [Use tenant attach with Configuration Manager, version 2006, for devices running Windows 10 or Windows Server 2019](#manage-tamper-protection-with-configuration-manager-version-2006)
2. [View information about tampering attempts](#view-information-about-tampering-attempts).
@@ -121,10 +123,38 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
1. Open the Windows PowerShell app.
-2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) PowerShell cmdlet.
+2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) PowerShell cmdlet.
3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
+## Manage tamper protection with Configuration Manager, version 2006
+
+> [!IMPORTANT]
+> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
+
+If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
+
+1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
+
+2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.
+
+ - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.
+
+ - In the **Profile** list, select **Windows Security experience (preview)**.
+
+ The following screenshot illustrates how to create your policy:
+
+ :::image type="content" source="images/win-security- exp-policy-endpt-security.png" alt-text="Windows security experience in Endpoint Manager":::
+
+3. Deploy the policy to your device collection.
+
+Need help? See the following resources:
+
+- [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings)
+
+- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
+
+
## View information about tampering attempts
Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
@@ -133,7 +163,7 @@ When a tampering attempt is detected, an alert is raised in the [Microsoft Defen
-Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
+Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
## Review your security recommendations
@@ -151,11 +181,9 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili
### To which Windows OS versions is configuring tamper protection is applicable?
-Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
-### Is configuring tamper protection in Intune supported on servers?
-
-No
+If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
### Will tamper protection have any impact on third party antivirus registration?
@@ -163,13 +191,17 @@ No. Third-party antivirus offerings will continue to register with the Windows S
### What happens if Microsoft Defender Antivirus is not active on a device?
-Tamper protection will not have any impact on such devices.
+Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features.
### How can I turn tamper protection on/off?
If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
-If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
+If you are an organization using [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
+
+- [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
+
+- [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)
### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
@@ -186,19 +218,19 @@ Some sample Microsoft Defender Antivirus settings:
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\
Value `DisableRealtimeMonitoring` = 0
-### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
+### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
-Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups.
+Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups.
### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
-Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager.
+If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) and [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin).
### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
-Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
-### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
+### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
You won’t be able to change the features that are protected by tamper protection; such change requests are ignored.
@@ -206,9 +238,9 @@ You won’t be able to change the features that are protected by tamper protecti
No. Local admins cannot change or modify tamper protection settings.
-### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state?
+### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state?
-In this case, tamper protection status changes, and this feature is no longer applied.
+If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.
### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
@@ -220,14 +252,10 @@ In addition, your security operations team can use hunting queries, such as the
[View information about tampering attempts](#view-information-about-tampering-attempts).
-### Will there be a group policy setting for tamper protection?
-
-No.
-
-## Related articles
+## See also
[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
-[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+[Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
-[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md)
+[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index c3358561d8..7bf4c22d0e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -64,6 +64,9 @@ See [Prevent users from locally modifying policy settings](configure-local-polic
You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+> [!NOTE]
+> This setting is not supported on Windows 10.
+
### Use Group Policy to prevent users from pausing a scan
1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index c83b6725b3..da893a1b8a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
---
@@ -25,15 +25,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
+After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
-## Use Microsoft Intune to review scan results
-
-1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
-
-2. Click the scan results in **Device actions status**.
-
## Use Configuration Manager to review scan results
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
@@ -46,7 +40,7 @@ The following cmdlet will return each detection on the endpoint. If there are mu
Get-MpThreatDetection
```
-
+
You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
@@ -56,7 +50,7 @@ If you want to list threat detections, but combine detections of the same threat
Get-MpThreat
```
-
+
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index 2a04fdb15b..f176529dde 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 07/22/2020
+ms.date: 09/30/2020
ms.reviewer:
manager: dansimp
---
@@ -28,14 +28,13 @@ manager: dansimp
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
-
In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
-This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-To configure the Group Policy settings described in this topic:
+## To configure the Group Policy settings described in this article
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -201,7 +200,7 @@ Scan | Specify the time for a daily quick scan | Specify the number of minutes a
Use the following cmdlets:
```PowerShell
-Set-MpPreference -ScanScheduleQuickTime
+Set-MpPreference -ScanScheduleQuickScanTime
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
@@ -229,9 +228,7 @@ Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
-## Related topics
-
-
+## See also
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
new file mode 100644
index 0000000000..09535418a1
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
@@ -0,0 +1,134 @@
+---
+title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
+description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus
+keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+author: martyav
+ms.author: v-maave
+ms.custom: nextgen
+ms.date: 09/11/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
+
+## Review event logs
+
+Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*.
+
+Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**.
+
+From there, select **Open** underneath **Operational**.
+
+Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs.
+
+## Microsoft Defender Antivirus won't start
+
+This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
+
+### Associated event IDs
+
+ Event ID | Log name | Description | Source
+-|-|-|-
+15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center
+5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
**Old value:** Default\IsServiceRunning = 0x0
**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender
+5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender
+
+### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
+
+On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
+
+> [!TIP]
+> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
+
+#### Use Services app to check if Microsoft Defender Antivirus is turned off
+
+To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
+
+Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
+
+While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
+
+This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.
+
+#### Generate a detailed report
+
+You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
+
+```powershell
+GPresult.exe /h gpresult.html
+```
+
+This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.
+
+##### Group policy results
+
+##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM)
+
+Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
+
+Policy | Setting | Winning GPO
+-|-|-
+Turn off Windows Defender Antivirus | Enabled | Win10-Workstations
+
+###### If security settings are implemented via Group policy preference (GPP)
+
+Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
+
+DisableAntiSpyware | -
+-|-
+Winning GPO | Win10-Workstations
+Result: Success |
+**General** |
+Action | Update
+**Properties** |
+Hive | HKEY_LOCAL_MACHINE
+Key path | SOFTWARE\Policies\Microsoft\Windows Defender
+Value name | DisableAntiSpyware
+Value type | REG_DWORD
+Value data | 0x1 (1)
+
+###### If security settings are implemented via registry key
+
+The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off:
+
+> Registry (regedit.exe)
+>
+> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
+> DisableAntiSpyware (dword) 1 (hex)
+
+###### If security settings are set in Windows or your Windows Server image
+
+Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
+
+### Turn Microsoft Defender Antivirus back on
+
+Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.
+
+> [!WARNING]
+> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
+
+Passive mode is available if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed.
+
+Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
+
+> [!IMPORTANT]
+> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.
+
+### See also
+
+* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
+* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 761dd08cfa..1a87a09ee4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -10,8 +10,8 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
+ms.date: 10/01/2018
+ms.reviewer: ksarens
manager: dansimp
---
@@ -96,7 +96,7 @@ Root | Allow antimalware service to start up with normal priority | [Configure r
Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
+Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10)
Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 372d0b750f..b3bb7867ee 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -22,7 +22,8 @@ Answering frequently asked questions about Microsoft Defender Application Guard
## Frequently Asked Questions
-### Can I enable Application Guard on machines equipped with 4GB RAM? |
+### Can I enable Application Guard on machines equipped with 4GB RAM?
+
We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)
@@ -87,7 +88,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
@@ -95,88 +96,8 @@ Yes, both the enterprise resource domains hosted in the cloud and the domains ca
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
-
-### Why do the network isolation policies in Group Policy and CSP look different?
-
-There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
-
-Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
-Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
-For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements.
-
-### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
-
-Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
-
-### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
-
-This is a known issue. To mitigate this you need to create two firewall rules.
-For guidance on how to create a firewall rule by using group policy, see:
-- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
-- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
-
-First rule (DHCP Server):
-1. Program path: `%SystemRoot%\System32\svchost.exe`
-2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess))
-3. Protocol UDP
-4. Port 67
-
-Second rule (DHCP Client)
-This is the same as the first rule, but scoped to local port 68.
-In the Microsoft Defender Firewall user interface go through the following steps:
-1. Right click on inbound rules, create a new rule.
-2. Choose **custom rule**.
-3. Program path: **%SystemRoot%\System32\svchost.exe**.
-4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
-5. Any IP addresses.
-6. Allow the connection.
-7. All profiles.
-8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
-
-### Why can I not launch Application Guard when Exploit Guard is enabled?
-
-There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**.
-
-
-### How can I have ICS in enabled state yet still use Application Guard?
-
-This is a two step process.
-
-Step 1:
-
-Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**.
-
-Step 2:
-
-1. Disable IpNat.sys from ICS load:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
-2. Configure ICS (SharedAccess) to enabled:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
-3. Disable IPNAT (Optional):
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
-4. Restart the device.
-
-### Why doesn't Application Guard work, even though it's enabled through Group Policy?
-
-Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard).
-To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing.
-
-For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite.
-
-For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP.
-
-### I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this?
-
-WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps:
-
-1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
-
-2. Reboot the device.
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 04d381db5b..4acd29aa2d 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -43,8 +43,8 @@ Application Guard has been created to target several types of systems:
## Related articles
-|Article | Description |
-|--------|-------------|
+|Article |Description |
+|------|------------|
|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
new file mode 100644
index 0000000000..b1576974be
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
@@ -0,0 +1,80 @@
+---
+title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection
+description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 09/20/2020
+---
+
+# AssignedIPAddresses()
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
+
+This function returns a table with the following columns:
+
+Column | Data type | Description
+-|-|-
+`Timestamp` | datetime | Latest time when the device was observed using the IP address
+`IPAddress` | string | IP address used by the device
+`IPType` | string | Indicates whether the IP address is a public or private address
+`NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype)
+`ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet
+
+## Syntax
+
+```kusto
+AssignedIPAddresses(x, y)
+```
+
+## Arguments
+
+- **x**—`DeviceId` or `DeviceName` value identifying the device
+- **y**—`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.
+
+## Examples
+
+### Get the list of IP addresses used by a device 24 hours ago
+
+```kusto
+AssignedIPAddresses('example-device-name', ago(1d))
+```
+
+### Get IP addresses used by a device and find devices communicating with it
+
+This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices.
+
+```kusto
+let Date = datetime(example-date);
+let DeviceName = "example-device-name";
+// List IP addresses used on or before the specified date
+AssignedIPAddresses(DeviceName, Date)
+| project DeviceName, IPAddress, AssignedTime = Timestamp
+// Get all network events on devices with the assigned IP addresses as the destination addresses
+| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
+// Get only network events around the time the IP address was assigned
+| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))
+```
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index 55a5df13d1..6ddbe3d3a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -13,7 +13,7 @@ author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: m365-security-compliance
ms.topic: article
---
@@ -21,14 +21,16 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
## Optimize query performance
-Apply these recommendations to get results faster and avoid timeouts while running complex queries.
+
+Apply these recommendations to get results faster and avoid timeouts while running complex queries.
+
- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
- Use time filters first. Ideally, limit your queries to seven days.
- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
@@ -43,6 +45,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni
## Query tips and pitfalls
### Queries with process IDs
+
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
@@ -57,6 +60,7 @@ DeviceNetworkEvents
The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
### Queries with command lines
+
Command lines can vary. When applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
@@ -87,9 +91,12 @@ DeviceProcessEvents
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
## Related topics
+
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
new file mode 100644
index 0000000000..371cfbed8c
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
@@ -0,0 +1,48 @@
+---
+title: Extend advanced hunting coverage with the right settings
+description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting
+keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 10/10/2020
+---
+
+# Extend advanced hunting coverage with the right settings
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
+
+## Advanced security auditing on Windows devices
+
+Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.
+
+Data | Description | Schema table | How to configure
+-|-|-|-
+Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)
- [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
+Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)
- [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
+Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)
- [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
new file mode 100644
index 0000000000..f2f93bf6a2
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
@@ -0,0 +1,85 @@
+---
+title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection
+description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 09/20/2020
+---
+
+# FileProfile()
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
+
+Column | Data type | Description
+-|-|-
+SHA1 | string | SHA-1 of the file that the recorded action was applied to
+SHA256 | string | SHA-256 of the file that the recorded action was applied to
+MD5 | string | MD5 hash of the file that the recorded action was applied to
+FileSize | int | Size of the file in bytes
+GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally
+GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally
+GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally
+Signer | string | Information about the signer of the file
+Issuer | string | Information about the issuing certificate authority (CA)
+SignerHash | string | Unique hash value identifying the signer
+IsCertificateValid | boolean | Whether the certificate used to sign the file is valid
+IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft
+IsExecutable | boolean | Whether the file is a Portable Executable (PE) file
+ThreatName | string | Detection name for any malware or other threats found
+Publisher | string | Name of the organization that published the file
+SoftwareName | string | Name of the software product
+
+## Syntax
+
+```kusto
+invoke FileProfile(x,y)
+```
+
+## Arguments
+
+- **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified
+- **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified
+
+## Examples
+
+### Project only the SHA1 column and enrich it
+
+```kusto
+DeviceFileEvents
+| where isnotempty(SHA1) and Timestamp > ago(1d)
+| take 10
+| project SHA1
+| invoke FileProfile()
+```
+
+### Enrich the first 500 records and list low-prevalence files
+
+```kusto
+DeviceFileEvents
+| where ActionType == "FileCreated" and Timestamp > ago(1d)
+| project CreatedOn = Timestamp, FileName, FolderPath, SHA1
+| invoke FileProfile("SHA1", 500)
+| where GlobalPrevalence < 15
+```
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
new file mode 100644
index 0000000000..cab2d3160b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
@@ -0,0 +1,107 @@
+---
+title: Get relevant info about an entity with go hunt
+description: Learn how to use the "go hunt" tool to quickly query for relevant information about an entity or event using advanced hunting.
+keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Quickly hunt for entity or event information with go hunt
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
+
+The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:
+
+- In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device.
+
+ 
+
+- In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity.
+
+ 
+
+- When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting.
+
+ 
+
+Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event.
+
+## Query for entity information
+
+When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident.
+
+Here is an example of the go hunt query for a device:
+
+```kusto
+let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z);
+let deviceName = "fv-az770.example.com";
+let deviceId = "device-guid";
+search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents)
+Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
+and DeviceName == deviceName
+// or RemoteDeviceName == deviceName
+// or DeviceId == deviceId
+| take 100
+```
+
+### Supported entity types
+
+You can use *go hunt* after selecting any of these entity types:
+
+- Files
+- Users
+- Devices
+- IP addresses
+- URLs
+
+## Query for event information
+
+When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device:
+
+```kusto
+// List relevant events 30 minutes before and after selected RegistryValueSet event
+let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z);
+search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
+ Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))
+ and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4"
+| sort by Timestamp desc
+| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event"))
+| project-reorder Relevance
+```
+
+## Adjust the query
+
+With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window:
+
+```kusto
+Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
+```
+
+In addition to modifying the query to get more relevant results, you can also:
+
+- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart)
+- [Create a custom detection rule](custom-detection-rules.md)
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Custom detection rules](custom-detection-rules.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
index 576f8e6c89..19ef98383c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@@ -28,18 +28,20 @@ ms.topic: article
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
+Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
+
+
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
+
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
>[!TIP]
>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
## Get started with advanced hunting
-Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
-
-You can also go through each of the following steps to ramp up your advanced hunting knowledge.
+Go through the following steps to ramp up your advanced hunting knowledge.
We recommend going through several steps to quickly get up and running with advanced hunting.
@@ -50,18 +52,24 @@ We recommend going through several steps to quickly get up and running with adva
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)
- [Handle errors](advanced-hunting-errors.md) |
+| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) |
+| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) |
+| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) |
| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
- [Custom detection rules](custom-detection-rules.md) |
## Data freshness and update frequency
+
Advanced hunting data can be categorized into two distinct types, each consolidated differently.
- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
## Time zone
+
Time information in advanced hunting is currently in the UTC time zone.
## Related topics
+
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Use shared queries](advanced-hunting-shared-queries.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
index 7003a2670e..2d83c38459 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@@ -21,13 +21,12 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query.
+Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.
## Try your first query
@@ -52,26 +51,21 @@ union DeviceProcessEvents, DeviceNetworkEvents
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
| top 100 by Timestamp
```
-
-This is how it will look like in advanced hunting.
-
-
-
+**[Run this query in advanced hunting](https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2TT0vDQBDF5yz4HUJPFcTqyZsXqyCIBFvxKNGWtpo_NVlbC8XP7m8mado0K5Zls8nkzdu3b2Z70pNAbmUmqYyk4D2UTJYyllwGMmWNGQHrN_NNvsSBzUBrbMFMiWieAx3xDEBl4GL4AuNd8B0bNgARENcdUmIZ3yM5liPwac3bN-YZPGPU5ET1rWDc7Ox4uod8YDp4MzI-GkjlX4Ne2nly0zEkKzFWh4ZE5sSuTN8Ehq5couvEMnvmUAhez-HsRBMipVa_W_OG6vEfGtT12JRHpqV064e1Kx04NsxFzXxW1aFjp_djXmDRPbfY3XMMcLogTz2bWZ2KqmIJI6q6wKe2WYnrRsa9KVeU9kCBBo2v7BzPxF_Bx2DKiqh63SGoRoc6Njti48z_yL71XHQAcgAur6rXRpcqH3l-4knZF23Utsbq2MircEqmw-G__xR1TdZ1r7zb7XLezmx3etkvGr-ze6NdGdW92azUfpcdluWvr-aqbh_nofnqcWI3aYyOsBV7giduRUO7187LMKTT5rxvHHX80_t8IeeMgLquvL7-Ak3q-kz8BAAA&runQuery=true&timeRangeId=week)**
### Describe the query and specify the tables to search
-A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization.
+A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization.
```kusto
// Finds PowerShell execution events that could involve a download
```
-
-The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
+The query itself will typically start with a table name followed by several elements that start with a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
```kusto
union DeviceProcessEvents, DeviceNetworkEvents
```
### Set the time range
-The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
+The first piped element is a time filter scoped to the previous seven days. Limiting the time range helps ensure that queries perform well, return manageable results, and don't time out.
```kusto
| where Timestamp > ago(7d)
@@ -80,7 +74,7 @@ The first piped element is a time filter scoped to the previous seven days. Keep
### Check specific processes
The time range is immediately followed by a search for process file names representing the PowerShell application.
-```
+```kusto
// Pivoting on PowerShell processes
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
```
@@ -101,7 +95,7 @@ Afterwards, the query looks for strings in command lines that are typically used
```
### Customize result columns and length
-Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
+Now that your query clearly identifies the data you want to locate, you can define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
```kusto
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
@@ -109,7 +103,7 @@ FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
| top 100 by Timestamp
```
-Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results.
+Select **Run query** to see the results. Use the expand icon at the top right of the query editor to focus on your hunting query and the results.
@@ -118,7 +112,7 @@ Click **Run query** to see the results. Select the expand icon at the top right
## Learn common query operators for advanced hunting
-Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
+You've just run your first query and have a general idea of its components. It's time to backtrack slightly and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
| Operator | Description and usage |
|--|--|
@@ -137,15 +131,17 @@ To see a live example of these operators, run them from the **Get started** sect
## Understand data types
-Data in advanced hunting tables are generally classified into the following data types.
+Advanced hunting supports Kusto data types, including the following common types:
| Data type | Description and query implications |
|--|--|
-| `datetime` | Data and time information typically representing event timestamps |
-| `string` | Character string |
-| `bool` | True or false |
-| `int` | 32-bit numeric value |
-| `long` | 64-bit numeric value |
+| `datetime` | Data and time information typically representing event timestamps. [See supported datetime formats](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/datetime) |
+| `string` | Character string in UTF-8 enclosed in single quotes (`'`) or double quotes (`"`). [Read more about strings](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/string) |
+| `bool` | This data type supports `true` or `false` states. [See supported literals and operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/bool) |
+| `int` | 32-bit integer |
+| `long` | 64-bit integer |
+
+To learn more about these data types, [read about Kusto scalar data types](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/).
## Get help as you write queries
Take advantage of the following functionality to write queries faster:
@@ -155,7 +151,7 @@ Take advantage of the following functionality to write queries faster:
- **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries
## Work with multiple queries in the editor
-The query editor can serve as your scratch pad for experimenting with multiple queries. To use multiple queries:
+You can use the query editor to experiment with multiple queries. To use multiple queries:
- Separate each query with an empty line.
- Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.
@@ -171,7 +167,7 @@ The **Get started** section provides a few simple queries using commonly used op
> [!NOTE]
-> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
+> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries).
## Access comprehensive query language reference
@@ -180,7 +176,6 @@ For detailed information about the query language, see [Kusto query language doc
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
index 97391fa308..b06237a57a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
@@ -116,6 +116,12 @@ After running a query, select **Export** to save the results to local file. Your
## Drill down from query results
To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
+To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record:
+
+- **Assets** — A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels
+- **Process tree** — A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees.
+- **All details** — Lists all the values from the columns in the record
+
## Tweak your queries from the results
Right-click a value in the result set to quickly enhance your query. You can use the options to:
@@ -126,9 +132,9 @@ Right-click a value in the result set to quickly enhance your query. You can use
## Filter the query results
-The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
+The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances.
-Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**.
+Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 6a0361489c..c41443181f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -69,8 +69,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
+
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Work with query results](advanced-hunting-query-results.md)
- [Learn the query language](advanced-hunting-query-language.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
index 4eb3858c7f..46610a6772 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
@@ -43,7 +43,7 @@ You can save a new or existing query so that it is only accessible to you or sha
4. Select the folder where you'd like to save the query.
- - **Shared queries** — shared to all users in the your organization
+ - **Shared queries** — shared to all users in your organization
- **My queries** — accessible only to you
5. Select **Save**.
@@ -67,3 +67,7 @@ Microsoft security researchers regularly share advanced hunting queries in a [de
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
new file mode 100644
index 0000000000..b06baf7444
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
@@ -0,0 +1,82 @@
+---
+title: Take action on advanced hunting query results in Microsoft Threat Protection
+description: Quickly address threats and affected assets in your advanced hunting query results
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 09/20/2020
+---
+
+# Take action on advanced hunting query results
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
+
+- Take various actions on devices
+- Quarantine files
+
+## Required permissions
+
+To be able to take action through advanced hunting, you need a role in Microsoft Defender ATP with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
+
+*Active remediation actions > Threat and vulnerability management - Remediation handling*
+
+## Take various actions on devices
+
+You can take the following actions on devices identified by the `DeviceId` column in your query results:
+
+- Isolate affected devices to contain an infection or prevent attacks from moving laterally
+- Collect investigation package to obtain more forensic information
+- Run an antivirus scan to find and remove threats using the latest security intelligence updates
+- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices
+- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables
+
+To learn more about how these response actions are performed through Microsoft Defender ATP, [read about response actions on devices](respond-machine-alerts.md).
+
+## Quarantine files
+
+You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:
+
+- `SHA1` — In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file.
+- `InitiatingProcessSHA1` — In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process.
+- `SHA256` — This is the SHA-256 equivalent of the file identified by the `SHA1` column.
+- `InitiatingProcessSHA256` — This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column.
+
+To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md).
+
+>[!NOTE]
+>To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers.
+
+## Take action
+
+To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions.
+
+
+
+## Review actions taken
+
+Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action.
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
index e8bb4f8847..6edfd475aa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
index 079bb71234..b70734bf7c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
index a989d91d73..d2d946c3fb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
@@ -14,7 +14,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 19a2f46e0c..b8454c4935 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -72,6 +72,8 @@ Field numbers match the numbers in the images below.
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
+| | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
+| | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 21443608c3..45db3aa0c7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -11,9 +11,10 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.reviewer:
+ms.reviewer: sugamar, jcedola
manager: dansimp
ms.custom: asr
+ms.date: 10/08/2020
---
# Reduce attack surfaces with attack surface reduction rules
@@ -326,10 +327,7 @@ GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
### Block untrusted and unsigned processes that run from USB
-With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
-
-* Executable files (such as .exe, .dll, or .scr)
-* Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
+With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index d8526c28d0..0a77813dd2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -12,9 +12,12 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
-ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
+ms.date: 09/24/2020
---
# View details and results of automated investigations
@@ -22,7 +25,7 @@ ms.reviewer: ramarom, evaldm, isco, mabraitm
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically.
+During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically.
If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
@@ -164,5 +167,5 @@ When you click on the pending actions link, you'll be taken to the Action center
- [View and approve remediation actions](manage-auto-investigation.md)
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 8c81015728..ef999e9cca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -1,22 +1,25 @@
---
title: Use automated investigations to investigate and remediate threats
-description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export
+description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
+keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
-ms.date: 09/03/2020
+ms.date: 09/30/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
ms.custom: AIR
---
@@ -27,16 +30,16 @@ ms.custom: AIR
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
-Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities.
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively.
-Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
+Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
> [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
## How the automated investigation starts
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@@ -51,15 +54,15 @@ During and after an automated investigation, you can view details about the inve
|Tab |Description |
|--|--|
-|**Alerts**| Shows the alert that started the investigation.|
-|**Devices** |Shows where the alert was seen.|
-|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
-|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
-|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
+|**Alerts**| The alert(s) that started the investigation.|
+|**Devices** |The device(s) where the threat was seen.|
+|**Evidence** |The entities that were found to be malicious during an investigation.|
+|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
+|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.|
|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
> [!IMPORTANT]
-> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
+> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
## How an automated investigation expands its scope
@@ -69,48 +72,33 @@ If an incriminated entity is seen in another device, the automated investigation
## How threats are remediated
-Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
+Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
> [!NOTE]
-> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically.
***This option is recommended** and is selected by default for Microsoft Defender ATP tenants that were created on or after August 16, 2020, and that have no device groups defined.
If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
-|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders are automatically remediated, if needed.|
-|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
-|**Semi - require approval for any remediation** | An approval is needed for any remediation action.
*This option is selected by default for Microsoft Defender ATP tenants that were created before August 16, 2020, and that have no device groups defined.
If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
-|**No automated response** | Devices do not get any automated investigations run on them.
***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
+|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.
***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*
*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
+|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples:
- `\users\*\appdata\local\temp\*`
- `\documents and settings\*\local settings\temp\*`
- `\documents and settings\*\local settings\temporary\*`
- `\windows\temp\*`
- `\users\*\downloads\*`
- `\program files\`
- `\program files (x86)\*`
- `\documents and settings\*\users\*` |
+|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*
*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation.
***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
> [!IMPORTANT]
-> Regarding automation levels and default settings:
-> - If your tenant already has device groups defined, the automation level settings are not changed for those device groups.
-> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
-> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**.
-> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
-> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
-> - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
-
-
-### A few points to keep in mind
-
-- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-
-- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed.
-
-- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
+> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
## Next steps
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
## See also
-- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
+- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
+- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index e9516735d3..8d29204276 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -16,6 +16,8 @@ ms.custom:
- next-gen
- edr
ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
---
# Behavioral blocking and containment
diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
index fee9bbd249..52e97e1b70 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
@@ -16,6 +16,8 @@ ms.custom:
- next-gen
- edr
ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
---
# Client behavioral blocking
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
index c5015477eb..6a3872d1b2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@@ -1,10 +1,11 @@
---
title: Configure automated investigation and remediation capabilities
-description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
+description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint.
keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -14,20 +15,21 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.topic: article
+ms.date: 09/24/2020
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
---
-# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection
+# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
+If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
index 82e701c6e9..2f52d63533 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
@@ -40,7 +40,7 @@ You'll need to know the exact Linux distros and macOS versions that are compatib
You'll need to take the following steps to onboard non-Windows devices:
1. Select your preferred method of onboarding:
- - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-atp-mac).
+ - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).
- For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.
1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index edc7d67d77..2372dd38c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -37,14 +37,14 @@ Based on the version of Configuration Manager you're running, the following clie
#### Configuration Manager version 1910 and prior
-- Clients computers running Windows 10, version 1607 and later
+- Clients computers running Windows 10
#### Configuration Manager version 2002 and later
Starting in Configuration Manager version 2002, you can onboard the following operating systems:
- Windows 8.1
-- Windows 10, version 1607 or later
+- Windows 10
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2016, version 1803 or later
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
index c7d22f6095..23f1b28355 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@@ -14,7 +14,9 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
@@ -27,11 +29,14 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Before you begin
+> [!NOTE]
+> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
+
Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up.
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
+If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription.
## Register to Microsoft Threat Experts managed threat hunting service
If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal.
@@ -79,7 +84,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
-2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**.
+2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**.
@@ -87,7 +92,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
- The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription.
+ The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription.
@@ -110,7 +115,7 @@ Watch this video for a quick overview of the Microsoft Services Hub.
**Alert information**
- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
-- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
+- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored?
- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
@@ -119,7 +124,7 @@ Watch this video for a quick overview of the Microsoft Services Hub.
- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
**Threat intelligence details**
-- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
+- We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
**Microsoft Threat Experts’ alert communications**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index d115e3867d..12c3637695 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 79ab34fce9..4edd3585e2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -16,6 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/20/2020
---
# Create custom detection rules
@@ -23,30 +24,36 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
+Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
-## 1. Check required permissions
+> [!NOTE]
+> To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## 2. Prepare the query
+## 1. Prepare the query.
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
>[!IMPORTANT]
>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
-
### Required columns in the query results
-To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
-There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
+To use a query for a custom detection rule, the query must return the following columns:
-The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
+- `Timestamp`
+- `DeviceId`
+- `ReportId`
+
+Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
+
+There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
+
+The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
```kusto
DeviceEvents
@@ -56,7 +63,10 @@ DeviceEvents
| where count_ > 5
```
-## 3. Create new rule and provide alert details
+> [!TIP]
+> For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data.
+
+## 2. Create a new rule and provide alert details.
With the query in the query editor, select **Create detection rule** and specify the following alert details:
@@ -67,36 +77,52 @@ With the query in the query editor, select **Create detection rule** and specify
- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
- **Description**—more information about the component or activity identified by the rule
-- **Recommended actions**—additional actions that responders might take in response to an alert
+- **Recommended actions**—additional actions that responders might take in response to an alert
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
### Rule frequency
-When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
+
+When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
- **Every hour**—runs hourly, checking data from the past 2 hours
+> [!TIP]
+> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
+
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
-## 4. Specify actions on files or devices
+## 3. Choose the impacted entities.
+
+Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
+
+You can select only one column for each entity type. Columns that are not returned by your query can't be selected.
+
+## 4. Specify actions.
+
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
### Actions on devices
+
These actions are applied to devices in the `DeviceId` column of the query results:
+
- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
### Actions on files
+
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
+
- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
-## 5. Set the rule scope
+## 5. Set the rule scope.
+
Set the scope to specify which devices are covered by the rule:
- All devices
@@ -104,12 +130,15 @@ Set the scope to specify which devices are covered by the rule:
Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
-## 6. Review and turn on the rule
+## 6. Review and turn on the rule.
+
After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
+You can [view and manage custom detection rules](custom-detections-manage.md), check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
## Related topics
-- [View and manage detection rules](custom-detections-manage.md)
+
+- [View and manage custom detection rules](custom-detections-manage.md)
- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index a92e2b43c4..b5679d1756 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -16,6 +16,9 @@ ms.custom:
- next-gen
- edr
ms.date: 08/21/2020
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
---
# Endpoint detection and response (EDR) in block mode
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index a6090f9ae7..2d96393904 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -33,12 +33,14 @@ Check if network protection has been enabled on a local device by using Registry
1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
1. Choose **HKEY_LOCAL_MACHINE** from the side menu
-1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows Defender** > **Policy Manager**
+1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows Defender** > **Windows Defender Exploit Guard** > **Network Protection**
1. Select **EnableNetworkProtection** to see the current state of network protection on the device
* 0, or **Off**
* 1, or **On**
* 2, or **Audit** mode
+
+ 
## Enable network protection
@@ -107,7 +109,7 @@ Confirm network protection is enabled on a local computer by using Registry edit
1. Select **Start** and type **regedit** to open **Registry Editor**.
-2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
+2. Navigate to **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection**
3. Select **EnableNetworkProtection** and confirm the value:
* 0=Off
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 5408508e47..4d724bc3ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -29,104 +31,104 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
## Enable the Insider program with Jamf
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
-```XML
-
-
-
-
- edr
-
- earlyPreview
-
-
-
-
-```
+ ```XML
+
+
+
+
+ edr
+
+ earlyPreview
+
+
+
+
+ ```
-b. From the JAMF console, navigate to **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
+1. From the JAMF console, navigate to **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
-c. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
+1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
->[!WARNING]
->You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
+ > [!WARNING]
+ > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
## Enable the Insider program with Intune
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
- ```XML
-
-
-
-
- PayloadUUID
- C4E6A782-0C8D-44AB-A025-EB893987A295
- PayloadType
- Configuration
- PayloadOrganization
- Microsoft
- PayloadIdentifier
- com.microsoft.wdav
- PayloadDisplayName
- Microsoft Defender ATP settings
- PayloadDescription
- Microsoft Defender ATP configuration settings
- PayloadVersion
- 1
- PayloadEnabled
-
- PayloadRemovalDisallowed
-
- PayloadScope
- System
- PayloadContent
-
-
- PayloadUUID
- 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
- PayloadType
- com.microsoft.wdav
- PayloadOrganization
- Microsoft
- PayloadIdentifier
- com.microsoft.wdav
- PayloadDisplayName
- Microsoft Defender ATP configuration settings
- PayloadDescription
-
- PayloadVersion
- 1
- PayloadEnabled
-
- edr
-
- earlyPreview
-
-
-
-
-
-
-```
+ ```XML
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ edr
+
+ earlyPreview
+
+
+
+
+
+
+ ```
-b. Open **Manage > Device configuration**. Select **Manage > Profiles > Create Profile**.
+1. Open **Manage > Device configuration**. Select **Manage > Profiles > Create Profile**.
-c. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
+1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
-d. Save the .plist created earlier as com.microsoft.wdav.xml.
+1. Save the .plist created earlier as com.microsoft.wdav.xml.
-e. Enter com.microsoft.wdav as the custom configuration profile name.
+1. Enter com.microsoft.wdav as the custom configuration profile name.
-f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
+1. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
-g. Select **OK**.
+1. Select **OK**.
-h. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+1. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
->[!WARNING]
->You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
+ > [!WARNING]
+ > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
## Enable the Insider program manually on a single device
@@ -134,7 +136,7 @@ In terminal, run:
```bash
mdatp --edr --early-preview true
- ```
+```
For versions earlier than 100.78.0, run:
@@ -161,4 +163,4 @@ After a successful deployment and onboarding of the correct version, check that
* Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
-If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
+If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 1e2be5f01f..e5f5fcad0b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -41,7 +41,7 @@ Not all properties are filterable.
Get 10 latest Alerts with related Evidence
-```
+```http
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
```
@@ -147,9 +147,9 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
### Example 2
-Get all the alerts last updated after 2019-10-20 00:00:00
+Get all the alerts last updated after 2019-11-22 00:00:00
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
```
@@ -205,7 +205,7 @@ HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTi
Get all the devices with 'High' 'RiskScore'
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
```
@@ -244,7 +244,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
Get top 100 devices with 'HealthStatus' not equals to 'Active'
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
```
@@ -283,7 +283,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStat
Get all the devices that last seen after 2018-10-20
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
```
@@ -322,7 +322,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
```
@@ -354,7 +354,7 @@ json{
Get the count of open alerts for a specific device:
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png b/windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png
new file mode 100644
index 0000000000..fd58d3cb11
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ah-take-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/ah-take-actions.png
new file mode 100644
index 0000000000..daf9714d6e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ah-take-actions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png
new file mode 100644
index 0000000000..a6ff679378
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png
new file mode 100644
index 0000000000..d3e8d67250
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png
new file mode 100644
index 0000000000..0d7aac7dce
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png
new file mode 100644
index 0000000000..ad17cf144e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png
new file mode 100644
index 0000000000..576472cd8c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png b/windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png
new file mode 100644
index 0000000000..f5448c34d3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-device.png
new file mode 100644
index 0000000000..71d8f65d88
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-device.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-event.png b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-event.png
new file mode 100644
index 0000000000..cf3c5d405a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-event.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-evidence-url.png b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-evidence-url.png
new file mode 100644
index 0000000000..a489b3c7b9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-evidence-url.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png
new file mode 100644
index 0000000000..9fee8307d9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png
new file mode 100644
index 0000000000..dfe09495a2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png
new file mode 100644
index 0000000000..5529575cbe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png
new file mode 100644
index 0000000000..80e4d3cc67
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png
new file mode 100644
index 0000000000..ccd19095f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png
new file mode 100644
index 0000000000..1257677bec
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png
new file mode 100644
index 0000000000..b2d8d02a63
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png
new file mode 100644
index 0000000000..a8777a1764
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png
new file mode 100644
index 0000000000..43bc82f7c6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png
new file mode 100644
index 0000000000..c2aa50f3c4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png
new file mode 100644
index 0000000000..9912030cb6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png
new file mode 100644
index 0000000000..5d9401ae38
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png
new file mode 100644
index 0000000000..3c2c23b1f4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png
new file mode 100644
index 0000000000..4e69457dcb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png
new file mode 100644
index 0000000000..54330f800e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png b/windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png
new file mode 100644
index 0000000000..5a2af54c14
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index 892f860dff..1b20360ecd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
index 0738fd810b..37ca52cd85 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
index 65739231df..7bd899fd9b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
index 0c25dc5114..f5c2fcb4ce 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
index 2c7b5a46cc..419b64c153 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
index 5bcdb3f2c1..fb1109d764 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index 6e97ffcfa7..5419c76996 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
index dd1a9f6766..7593f22e63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
index 6f499c34c0..87bac34185 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
@@ -12,7 +12,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
new file mode 100644
index 0000000000..abb45e662b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
@@ -0,0 +1,49 @@
+---
+title: Configure Microsoft Defender ATP for iOS features
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for iOS features
+keywords: microsoft, defender, atp, ios, configure, features, ios
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
+ms.topic: conceptual
+---
+
+# Configure Microsoft Defender ATP for iOS features
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+
+## Configure custom indicators
+Microsoft Defender ATP for iOS enables admins to configure custom indicators on
+iOS devices as well. Refer to [Manage
+indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
+on how to configure custom indicators
+
+## Web Protection
+By default, Microsoft Defender ATP for iOS includes and enables the web
+protection feature. [Web
+protection](web-protection-overview.md) helps
+to secure devices against web threats and protect users from phishing attacks.
+
+>[!NOTE]
+>Microsoft Defender ATP for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
new file mode 100644
index 0000000000..be3fe61fbf
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
@@ -0,0 +1,82 @@
+---
+title: App-based deployment for Microsoft Defender ATP for iOS
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for iOS using an app
+keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
+ms.topic: conceptual
+---
+
+# App-based deployment for Microsoft Defender ATP for iOS
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+Microsoft Defender ATP for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
+
+Deployment devices need to be enrolled on Intune Company portal. Refer to
+[Enroll your
+device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to
+learn more about Intune device enrollment
+
+## Before you begin
+
+- Ensure you have access to [Microsoft Endpoint manager admin
+ center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+- Ensure iOS enrollment is done for your users. Users need to have Microsoft Defender ATP
+ license assigned in order to use Microsoft Defender ATP for iOS. Refer [Assign licenses to
+ users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
+ for instructions on how to assign licenses.
+
+
+## Deployment steps
+
+To install Microsoft Defender ATP for iOS, end-users can visit
+ on their iOS devices. This link will open the
+TestFlight application on their device or prompt them to install TestFlight. On
+the TestFlight app, follow the onscreen instructions to install Microsoft
+Defender ATP.
+
+
+
+
+## Complete onboarding and check status
+
+1. Once Microsoft Defender ATP for iOS has been installed on the device, you
+ will see the app icon.
+
+ 
+
+2. Tap the Microsoft Defender ATP app icon and follow the on-screen
+ instructions to complete the onboarding steps. The details include end-user
+ acceptance of iOS permissions required by Microsoft Defender ATP for iOS.
+
+3. Upon successful onboarding, the device will start showing up on the Devices
+ list in Microsoft Defender Security Center.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+## Next Steps
+
+[Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md
deleted file mode 100644
index f775848c86..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Microsoft Defender ATP for iOS note on Privacy
-ms.reviewer:
-description: Describes the Microsoft Defender ATP for iOS Privacy
-keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: sunasing
-author: sunasing
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-hideEdit: true
----
-
-# Microsoft Defender ATP for iOS note on Privacy
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-## What information can my organization see when I use Microsoft Defender ATP on iOS
-
-Your organization cannot see your personal information when you use Microsoft Defender ATP. Microsoft Defender ATP sends certain pieces of information from your device to the ATP portal, such as device threat level, device model, and serial number. Your organization uses this information to help protect you from web-based attacks.
-
-**What your organization can never see:**
-
-- Calling and web browsing history
-- Email and text messages
-- Contacts
-- Calendar
-- Passwords
-- Pictures, including what's in the photos app or camera roll
-- Files
-
-**What your organization can see:**
-
-- Malicious Connections that were blocked by Microsoft Defender ATP
-- Device model, like iPhone 11
-- Operating system and version, like iOS 12.0.1
-- Device name
-- Device serial number
-
-## VPN Usage
-
-Microsoft Defender ATP for iOS uses VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-
-## More on Privacy
-
-[More information about Privacy](https://aka.ms/mdatpiosmainprivacystatement)
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md
new file mode 100644
index 0000000000..1bef25da5f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md
@@ -0,0 +1,78 @@
+---
+title: Microsoft Defender ATP for iOS note on Privacy
+ms.reviewer:
+description: Describes the Microsoft Defender ATP for iOS Privacy
+keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: sunasing
+author: sunasing
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+hideEdit: true
+---
+
+# Microsoft Defender ATP for iOS - Privacy information
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for iOS](microsoft-defender-atp-ios.md)
+
+>[!NOTE]
+> Microsoft Defender ATP for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**.
+
+Microsoft Defender ATP for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Microsoft Defender ATP.
+
+Information is collected to help keep Microsoft Defender ATP for iOS secure, up-to-date, performing as expected and to support the service.
+
+## Required data
+
+Required data consists of data that is necessary to make Microsoft Defender ATP for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected:
+
+### Web page / Network information
+
+- Connection information
+- Protocol type (such as HTTP, HTTPS, etc.)
+
+### Device and account information
+
+- Device information such as date & time, iOS version, CPU info, and Device identifier
+- Device identifier is one of the below:
+ - Wi-Fi adapter MAC address
+ - Randomly generated globally unique identifier (GUID)
+
+- Tenant, Device, and User information
+ - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely identifies the device, User respectively at Azure Active directory.
+ - Azure tenant ID - GUID that identifies your organization within Azure Active Directory
+ - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted
+ - User Principal Name - Email ID of the user
+
+### Product and service usage data
+
+- App package info, including name, version, and app upgrade status
+- Actions performed in the app
+- Crash report logs generated by iOS
+- Memory usage data
+
+## Optional data
+
+Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself.
+
+Optional diagnostic data includes:
+
+- App, CPU, and network usage
+- Features configured by the admin
+
+**Feedback Data** is collected through in-app feedback provided by the user.
+
+- The user's email address, if they choose to provide it
+- Feedback type (smile, frown, idea) and any feedback comments submitted by the user
+
+[More on Privacy](https://aka.ms/mdatpiosprivacystatement)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
index 6969f1c941..39f57d1213 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
@@ -14,7 +14,9 @@ author: sunasing
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
hideEdit: true
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
index 9ad7e0b073..8bee109c6f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -49,6 +51,9 @@ File | A specific file identified by the full path | `/var/log/test.log`
`/v
Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t`
+> [!IMPORTANT]
+> The paths above must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file `.
+
File, folder, and process exclusions support the following wildcards:
Wildcard | Description | Example | Matches | Does not match
@@ -107,6 +112,16 @@ Examples:
```bash
mdatp exclusion folder add --path "/var/*/"
```
+
+ > [!NOTE]
+ > This will only exclude paths one level below */var/*, but not folders which are more deeply nested; for example, */var/this-subfolder/but-not-this-subfolder*.
+
+ ```bash
+ mdatp exclusion folder add --path "/var/"
+ ```
+ > [!NOTE]
+ > This will exclude all paths whose parent is */var/*; for example, */var/this-subfolder/and-this-subfolder-as-well*.
+
```Output
Folder exclusion configured successfully
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 157c193e75..3012e87c2c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -51,6 +53,12 @@ In order to preview new features and provide early feedback, it is recommended t
### RHEL and variants (CentOS and Oracle Linux)
+- Install `yum-utils` if it isn't installed yet:
+
+ ```bash
+ sudo yum install yum-utils
+ ```
+
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
@@ -74,12 +82,6 @@ In order to preview new features and provide early feedback, it is recommended t
sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
```
-- Install `yum-utils` if it isn't installed yet:
-
- ```bash
- sudo yum install yum-utils
- ```
-
- Download and make usable all the metadata for the currently enabled yum repositories:
```bash
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
index 4e622f504d..2cc5610a4c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
index a89c89272b..68fe2b6926 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
index 22cebfbcda..e2944beb87 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
index 40ac81e1d0..58b9c14323 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
index e79f91ce6c..7c779b7d9d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
index d2df9ea151..d3b7796378 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
index 81de10526e..3406767afa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
index 5453c8c205..15d0e69c78 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
index e0c27b4a46..8390f37105 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+mms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
index adc018682b..dd01c882b0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
index 302d9c6717..8e290c8ff5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index 2399987032..3eeb408c4d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
index 49c40a09a3..59d65172e9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index daea53aa5e..3f720e90e8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -28,7 +30,8 @@ ms.topic: conceptual
This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Application installation](#application-installation)
+- [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions)
+- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
- [Client configuration](#client-configuration)
## Prerequisites and system requirements
@@ -48,7 +51,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
5. From a command prompt, verify that you have the two files.
-## Application installation
+## Application installation (macOS 10.15 and older versions)
To complete this process, you must have admin privileges on the device.
@@ -65,7 +68,7 @@ To complete this process, you must have admin privileges on the device.
-3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
+3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
@@ -77,6 +80,34 @@ To complete this process, you must have admin privileges on the device.
> [!NOTE]
> macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted.
+## Application installation (macOS 11 and newer versions)
+
+To complete this process, you must have admin privileges on the device.
+
+1. Navigate to the downloaded wdav.pkg in Finder and open it.
+
+ 
+
+2. Select **Continue**, agree with the License terms, and enter the password when prompted.
+
+3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
+
+ 
+
+4. From the **Security & Privacy** window, select **Allow**.
+
+ 
+
+5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender ATP for Mac.
+
+6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender ATP permissions to filter network traffic, select **Allow**.
+
+ 
+
+7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**.
+
+ 
+
## Client configuration
1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index 17f2c90546..a1fd86434f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -34,6 +36,7 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through Intune
1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
1. [Client device setup](#client-device-setup)
+1. [Approve system extensions](#approve-system-extensions)
1. [Create System Configuration profiles](#create-system-configuration-profiles)
1. [Publish application](#publish-application)
@@ -48,24 +51,30 @@ The following table summarizes the steps you would need to take to deploy and ma
| Step | Sample file names | BundleIdentifier |
|-|-|-|
| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Approve System Extension for Microsoft Defender ATP](#approve-system-extensions) | MDATP_SysExt.xml | N/A |
| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
+| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A |
| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)
**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
-| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
+
2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
+
4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
+
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
+
6. From a command prompt, verify that you have the three files.
@@ -130,228 +139,116 @@ You do not need any special provisioning for a Mac device beyond a standard [Com
2. Select **Continue** and complete the enrollment.
-You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+ You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
-
+ > [!div class="mx-imgBorder"]
+ > 
+
+## Approve System Extensions
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+
+3. In the `Basics` tab, give a name to this new profile.
+
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+ Bundle identifier | Team identifier
+ --------------------------|----------------
+ com.microsoft.wdav.epsext | UBF8T346G9
+ com.microsoft.wdav.netext | UBF8T346G9
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+
+6. Review and create this configuration profile.
## Create System Configuration profiles
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
+
3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
+
4. Select **OK**.
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+
6. Repeat steps 1 through 5 for more profiles.
+
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
+
+8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.
> [!CAUTION]
> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
>
- > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
+ > This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
- ```xml
-
-
-
-
- PayloadDescription
- Allows Microsoft Defender to access all files on Catalina+
- PayloadDisplayName
- TCC - Microsoft Defender
- PayloadIdentifier
- com.microsoft.wdav.tcc
- PayloadOrganization
- Microsoft Corp.
- PayloadRemovalDisallowed
-
- PayloadScope
- system
- PayloadType
- Configuration
- PayloadUUID
- C234DF2E-DFF6-11E9-B279-001C4299FB44
- PayloadVersion
- 1
- PayloadContent
-
-
- PayloadDescription
- Allows Microsoft Defender to access all files on Catalina+
- PayloadDisplayName
- TCC - Microsoft Defender
- PayloadIdentifier
- com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44
- PayloadOrganization
- Microsoft Corp.
- PayloadType
- com.apple.TCC.configuration-profile-policy
- PayloadUUID
- C233A5E6-DFF6-11E9-BDAD-001C4299FB44
- PayloadVersion
- 1
- Services
-
- SystemPolicyAllFiles
-
-
- Allowed
-
- CodeRequirement
- identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
- Comment
- Allow SystemPolicyAllFiles control for Microsoft Defender ATP
- Identifier
- com.microsoft.wdav
- IdentifierType
- bundleID
-
-
-
-
-
-
-
- ```
+9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections.
-9. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
+10. To allow Microsoft Defender ATP for Mac and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload.
- ```xml
-
-
-
-
- PayloadContent
-
-
- NotificationSettings
-
-
- AlertType
- 2
- BadgesEnabled
-
- BundleIdentifier
- com.microsoft.autoupdate2
- CriticalAlertEnabled
-
- GroupingType
- 0
- NotificationsEnabled
-
- ShowInLockScreen
-
- ShowInNotificationCenter
-
- SoundsEnabled
-
-
-
- AlertType
- 2
- BadgesEnabled
-
- BundleIdentifier
- com.microsoft.wdav.tray
- CriticalAlertEnabled
-
- GroupingType
- 0
- NotificationsEnabled
-
- ShowInLockScreen
-
- ShowInNotificationCenter
-
- SoundsEnabled
-
-
-
- PayloadDescription
-
- PayloadDisplayName
- notifications
- PayloadEnabled
-
- PayloadIdentifier
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadOrganization
- Microsoft
- PayloadType
- com.apple.notificationsettings
- PayloadUUID
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadVersion
- 1
-
-
- PayloadDescription
-
- PayloadDisplayName
- mdatp - allow notifications
- PayloadEnabled
-
- PayloadIdentifier
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadOrganization
- Microsoft
- PayloadRemovalDisallowed
-
- PayloadScope
- System
- PayloadType
- Configuration
- PayloadUUID
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadVersion
- 1
-
-
- ```
-
-10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+11. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
-
+> [!div class="mx-imgBorder"]
+> 
## Publish application
1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
+
2. Select **App type=Other/Line-of-business app**.
+
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
+
4. Select **Configure** and add the required information.
+
5. Use **macOS High Sierra 10.13** as the minimum OS.
+
6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
> [!CAUTION]
> Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated.
>
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy.
-
- 
+
+ > [!div class="mx-imgBorder"]
+ > 
7. Select **OK** and **Add**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
9. Change **Assignment type** to **Required**.
+
10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
- 
+ > [!div class="mx-imgBorder"]
+ > 
## Verify client device state
@@ -365,7 +262,8 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
3. You should also see the Microsoft Defender icon in the top-right corner:
- 
+ > [!div class="mx-imgBorder"]
+ > 
## Troubleshooting
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index f0d4ab8a8a..b02fdd72d5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
index 39ec2b13b7..1e43a13d07 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
@@ -13,7 +13,9 @@ author: maximvelichko
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -48,7 +50,7 @@ Most modern MDM solutions include these features, however, they may call them di
You can deploy Defender without the last requirement from the preceding list, however:
- You will not be able to collect status in a centralized way
-- If you decide to uninstall Defender, you will need to logon to the client device locally as an administrator
+- If you decide to uninstall Defender, you will need to log on to the client device locally as an administrator
## Deployment
@@ -70,13 +72,44 @@ Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be ext
Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
-Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
+Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information.
### Kernel extension policy
Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft.
+### System extension policy
+
+Set up a system extension policy. Use team identifier **UBF8T346G9** and approve the following bundle identifiers:
+
+- com.microsoft.wdav.epsext
+- com.microsoft.wdav.netext
+
+### Full disk access policy
+
+Grant Full Disk Access to the following components:
+
+- Microsoft Defender ATP
+ - Identifier: `com.microsoft.wdav`
+ - Identifier Type: Bundle ID
+ - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
+
+- Microsoft Defender ATP Endpoint Security Extension
+ - Identifier: `com.microsoft.wdav.epsext`
+ - Identifier Type: Bundle ID
+ - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+### Network extension policy
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+- Filter type: Plugin
+- Plugin bundle identifier: `com.microsoft.wdav`
+- Filter data provider bundle identifier: `com.microsoft.wdav.netext`
+- Filter data provider designated requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+- Filter sockets: `true`
+
## Check installation status
Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
index 0c869e76e4..04cb07cd04 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
index fd353eceb3..ffd3980a4a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
index 19be21f34f..a56afd0ef7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -44,9 +46,13 @@ You'll need to take the following steps:
7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp)
-8. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+8. [Approve System extensions for Microsoft Defender ATP](#step-8-approve-system-extensions-for-microsoft-defender-atp)
-9. [Deploy Microsoft Defender ATP for macOS](#step-9-deploy-microsoft-defender-atp-for-macos)
+9. [Configure Network Extension](#step-9-configure-network-extension)
+
+10. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+
+11. [Deploy Microsoft Defender ATP for macOS](#step-11-deploy-microsoft-defender-atp-for-macos)
## Step 1: Get the Microsoft Defender ATP onboarding package
@@ -155,106 +161,106 @@ You'll need to take the following steps:
For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile).
-```XML
-
-
-
-
- antivirusEngine
-
- enableRealTimeProtection
-
- passiveMode
-
- exclusions
-
-
- $type
- excludedPath
- isDirectory
-
- path
- /var/log/system.log
-
-
- $type
- excludedPath
- isDirectory
-
- path
- /home
-
-
- $type
- excludedFileExtension
- extension
- pdf
-
-
- $type
- excludedFileName
- name
- cat
-
-
- exclusionsMergePolicy
- merge
- allowedThreats
-
- EICAR-Test-File (not a virus)
-
- disallowedThreatActions
-
- allow
- restore
-
- threatTypeSettings
-
-
- key
- potentially_unwanted_application
- value
- block
-
-
- key
- archive_bomb
- value
- audit
-
-
- threatTypeSettingsMergePolicy
- merge
-
- cloudService
-
- enabled
-
- diagnosticLevel
- optional
- automaticSampleSubmission
-
-
- edr
-
- tags
-
-
- key
- GROUP
- value
- ExampleTag
-
-
-
- userInterface
-
- hideStatusMenuIcon
-
-
-
-
-```
+ ```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ passiveMode
+
+ exclusions
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /var/log/system.log
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /home
+
+
+ $type
+ excludedFileExtension
+ extension
+ pdf
+
+
+ $type
+ excludedFileName
+ name
+ cat
+
+
+ exclusionsMergePolicy
+ merge
+ allowedThreats
+
+ EICAR-Test-File (not a virus)
+
+ disallowedThreatActions
+
+ allow
+ restore
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+ threatTypeSettingsMergePolicy
+ merge
+
+ cloudService
+
+ enabled
+
+ diagnosticLevel
+ optional
+ automaticSampleSubmission
+
+
+ edr
+
+ tags
+
+
+ key
+ GROUP
+ value
+ ExampleTag
+
+
+
+ userInterface
+
+ hideStatusMenuIcon
+
+
+
+
+ ```
2. Save the file as `MDATP_MDAV_configuration_settings.plist`.
@@ -266,11 +272,12 @@ You'll need to take the following steps:
4. Enter the following details:
**General**
- - Name: MDATP MDAV configuration settings
- - Description:\
- - Category: None (default)
- - Distribution Method: Install Automatically(default)
- - Level: Computer Level(default)
+
+ - Name: MDATP MDAV configuration settings
+ - Description:\
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
@@ -336,100 +343,21 @@ You'll need to take the following steps:
These steps are applicable of macOS 10.15 (Catalina) or newer.
-1. Use the following Microsoft Defender ATP notification configuration settings:
+1. Download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig)
-```xml
-
-
-
- PayloadContent
-
-
- NotificationSettings
-
-
- AlertType
- 2
- BadgesEnabled
-
- BundleIdentifier
- com.microsoft.autoupdate2
- CriticalAlertEnabled
- GroupingType
- 0
- NotificationsEnabled
-
- ShowInLockScreen
-
- ShowInNotificationCenter
-
- SoundsEnabled
-
-
-
- AlertType
- 2BadgesEnabled
- BundleIdentifier
- com.microsoft.wdav.tray
- CriticalAlertEnabled
- GroupingType
- 0
- NotificationsEnabled
- ShowInLockScreen
- ShowInNotificationCenter
- SoundsEnabled
-
-
-
- PayloadDescription
- PayloadDisplayName
- notifications
- PayloadEnabled
- PayloadIdentifier
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadOrganization
- Microsoft
- PayloadType
- com.apple.notificationsettings
- PayloadUUID
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadVersion
- 1
-
-
- PayloadDescription
- PayloadDisplayName
- mdatp - allow notifications
- PayloadEnabled
- PayloadIdentifier
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadOrganization
- Microsoft
- PayloadRemovalDisallowed
- PayloadScope
- System
- PayloadType
- Configuration
- PayloadUUID
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadVersion
- 1
-
-
- ```
-
-2. Save it as `MDATP_MDAV_notification_settings.plist`.
+2. Save it as `MDATP_MDAV_notification_settings.plist`.
3. In the Jamf Pro dashboard, select **General**.
4. Enter the following details:
**General**
- - Name: MDATP MDAV Notification settings
- - Description: macOS 10.15 (Catalina) or newer
- - Category: None (default)
- - Distribution Method: Install Automatically(default)
- - Level: Computer Level(default)
+
+ - Name: MDATP MDAV Notification settings
+ - Description: macOS 10.15 (Catalina) or newer
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
@@ -475,11 +403,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
1. Use the following Microsoft Defender ATP configuration settings:
-```XML
-
-
-
-
+ ```XML
+
+
+
+
ChannelName
Production
HowToCheck
@@ -490,9 +418,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
SendAllTelemetryEnabled
-
-
-```
+
+
+ ```
2. Save it as `MDATP_MDAV_MAU_settings.plist`.
@@ -503,11 +431,12 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
4. Enter the following details:
**General**
- - Name: MDATP MDAV MAU settings
- - Description: Microsoft AutoUpdate settings for MDATP for macOS
- - Category: None (default)
- - Distribution Method: Install Automatically(default)
- - Level: Computer Level(default)
+
+ - Name: MDATP MDAV MAU settings
+ - Description: Microsoft AutoUpdate settings for MDATP for macOS
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
5. In **Application & Custom Settings** select **Configure**.
@@ -582,10 +511,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Identifier: `com.microsoft.wdav`
- Identifier Type: Bundle ID
- - Code Requirement: identifier `com.microsoft.wdav` and anchor apple generic and
-certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate
-leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate
-leaf[subject.OU] = UBF8T346G9
+ - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
@@ -594,32 +520,53 @@ leaf[subject.OU] = UBF8T346G9
+ - Under App or service: Set to **SystemPolicyAllFiles**
- - Under App or service: Set to **SystemPolicyAllFiles**
-
- - Under "access": Set to **Allow**
+ - Under "access": Set to **Allow**
7. Select **Save** (not the one at the bottom right).
-8. Select the **Scope** tab.
+8. Click the `+` sign next to **App Access** to add a new entry.
+
+ 
+
+9. Enter the following details:
+
+ - Identifier: `com.microsoft.wdav.epsext`
+ - Identifier Type: Bundle ID
+ - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+10. Select **+ Add**.
+
+ 
+
+ - Under App or service: Set to **SystemPolicyAllFiles**
+
+ - Under "access": Set to **Allow**
+
+11. Select **Save** (not the one at the bottom right).
+
+ 
+
+12. Select the **Scope** tab.
- 9. Select **+ Add**.
+13. Select **+ Add**.
-10. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
+14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
-11. Select **Add**.
+15. Select **Add**.
-12. Select **Save**.
+16. Select **Save**.
-13. Select **Done**.
+17. Select **Done**.
@@ -635,11 +582,12 @@ leaf[subject.OU] = UBF8T346G9
2. Enter the following details:
**General**
- - Name: MDATP MDAV Kernel Extension
- - Description: MDATP kernel extension (kext)
- - Category: None
- - Distribution Method: Install Automatically
- - Level: Computer Level
+
+ - Name: MDATP MDAV Kernel Extension
+ - Description: MDATP kernel extension (kext)
+ - Category: None
+ - Distribution Method: Install Automatically
+ - Level: Computer Level
@@ -648,11 +596,10 @@ leaf[subject.OU] = UBF8T346G9
-
4. In **Approved Kernel Extensions** Enter the following details:
- - Display Name: Microsoft Corp.
- - Team ID: UBF8T346G9
+ - Display Name: Microsoft Corp.
+ - Team ID: UBF8T346G9
@@ -677,10 +624,119 @@ leaf[subject.OU] = UBF8T346G9
-## Step 8: Schedule scans with Microsoft Defender ATP for Mac
+## Step 8: Approve System extensions for Microsoft Defender ATP
+
+1. In the **Configuration Profiles**, select **+ New**.
+
+ 
+
+2. Enter the following details:
+
+ **General**
+
+ - Name: MDATP MDAV System Extensions
+ - Description: MDATP system extensions
+ - Category: None
+ - Distribution Method: Install Automatically
+ - Level: Computer Level
+
+ 
+
+3. In **System Extensions** select **Configure**.
+
+ 
+
+4. In **System Extensions** enter the following details:
+
+ - Display Name: Microsoft Corp. System Extensions
+ - System Extension Types: Allowed System Extensions
+ - Team Identifier: UBF8T346G9
+ - Allowed System Extensions:
+ - **com.microsoft.wdav.epsext**
+ - **com.microsoft.wdav.netext**
+
+ 
+
+5. Select the **Scope** tab.
+
+ 
+
+6. Select **+ Add**.
+
+7. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+8. Select **+ Add**.
+
+ 
+
+9. Select **Save**.
+
+ 
+
+10. Select **Done**.
+
+ 
+
+## Step 9: Configure Network Extension
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+>[!NOTE]
+>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
+>As such, the following steps provide a workaround that involve signing the configuration profile.
+
+1. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) to your device and save it as `com.microsoft.network-extension.mobileconfig`
+
+2. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
+
+3. After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device:
+
+ ```bash
+ $ security cms -S -N "" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig
+ ```
+
+ 
+
+4. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button.
+
+ 
+
+5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
+
+ 
+
+6. Select **Upload**.
+
+ 
+
+7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
+
+ 
+
+8. Select the **Scope** tab.
+
+ 
+
+9. Select **+ Add**.
+
+10. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+11. Select **+ Add**.
+
+ 
+
+12. Select **Save**.
+
+ 
+
+13. Select **Done**.
+
+ 
+
+## Step 10: Schedule scans with Microsoft Defender ATP for Mac
Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
-## Step 9: Deploy Microsoft Defender ATP for macOS
+## Step 11: Deploy Microsoft Defender ATP for macOS
1. Navigate to where you saved `wdav.pkg`.
@@ -729,10 +785,12 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
9. Select **Save**. The package is uploaded to Jamf Pro.
- 
- It can take a few minutes for the package to be available for deployment.
- 
+ 
+
+ It can take a few minutes for the package to be available for deployment.
+
+ 
10. Navigate to the **Policies** page.
@@ -765,25 +823,31 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
17. Select **Save**.
+
-18. Select the **Scope** tab.
+18. Select the **Scope** tab.
+
19. Select the target computers.
- **Scope**
+ **Scope**
+
Select **Add**.
+
- **Self-Service**
+ **Self-Service**
+
20. Select **Done**.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 186304dde5..ec94cef29a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -31,7 +33,7 @@ ms.topic: conceptual
## Summary
-In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Users in your organization are not able to change preferences that are set through the configuration profile.
+In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions.
This article describes the structure of the configuration profile, includes a recommended profile that you can use to get started, and provides instructions on how to deploy the profile.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
index 5bb254d10c..42d1a1e3fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
index e13d95555f..266a05a30f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index 2aafa7220d..83030035f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -44,6 +46,9 @@ If you can reproduce a problem, increase the logging level, run the system for s
3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
+ > [!TIP]
+ > By default, diagnostic logs are saved to `/Library/Application Support/Microsoft/Defender/wdavdiag/`. To change the directory where diagnostic logs are saved, pass `--path [directory]` to the below command, replacing `[directory]` with the desired directory.
+
```bash
sudo mdatp diagnostic create
```
@@ -97,7 +102,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action audit` |
|Configuration|Turn on/off passiveMode |`mdatp config passive-mode --value enabled [enabled/disabled]` |
|Diagnostics |Change the log level |`mdatp log level set --level [error/warning/info/verbose]` |
-|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` |
+|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create --path [directory]` |
|Health |Check the product's health |`mdatp health` |
|Health |Check for a spefic product attribute |`mdatp health --field [attribute: healthy/licensed/engine_version...]` |
|Protection |Scan a path |`mdatp scan custom --path [path]` |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
index 5fde32aab8..fdad212625 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
index feb636fd2d..f4a32380f3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
index f773e91875..d369e94d36 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
index 72cfd50ff0..a05f815303 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
index 04cfb43c25..385a3fddb2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
index 24c22d7bd0..f53075c405 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
ROBOTS: noindex,nofollow
---
@@ -62,7 +64,7 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
>As such, the following steps provide a workaround that involve signing the configuration profile.
-1. Save the following content to your device as `com.microsoft.network-extension.mobileconfig`
+1. Save the following content to your device as `com.microsoft.network-extension.mobileconfig` using a text editor:
```xml
@@ -125,21 +127,38 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
```
-2. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
+2. Verify that the above file was copied correctly by running the `plutil` utility in the Terminal:
```bash
- $ plutil -lint com.microsoft.network-extension.mobileconfig
- com.microsoft.network-extension.mobileconfig: OK
+ $ plutil -lint /com.microsoft.network-extension.mobileconfig
```
-3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
-
-4. After the certificate is created and installed to your device, run the following command from the Terminal:
+ For example, if the file was stored in Documents:
```bash
- $ security cms -S -N "" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig
+ $ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig
```
+
+ Verify that the command outputs `OK`.
+
+ ```bash
+ /com.microsoft.network-extension.mobileconfig: OK
+ ```
+
+3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority.
+4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file:
+
+ ```bash
+ $ security cms -S -N "" -i /com.apple.webcontent-filter.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig
+ ```
+
+ For example, if the certificate name is **SigningCertificate** and the signed file is going to be stored in Documents:
+
+ ```bash
+ $ security cms -S -N "SigningCertificate" -i ~/Documents/com.apple.webcontent-filter.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig
+ ```
+
5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file.
## Intune
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
index 27ec242709..86a435cc65 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
ROBOTS: noindex,nofollow
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index a356d8d895..740aaacb77 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 1284f53db5..ca4617cc28 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -13,7 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -41,6 +43,23 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
+## 101.09.50
+
+- This product version has been validated on macOS Big Sur 11 beta 9
+- The new syntax for the `mdatp` command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender ATP for Mac](mac-resources.md#configuring-from-the-command-line)
+
+ > [!NOTE]
+ > The old command-line tool syntax will be removed from the product on **January 1st, 2021**.
+
+- Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory
+- Performance improvements & bug fixes
+
+## 101.09.49
+
+- User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user
+- Improved CPU utilization during on-demand scans
+- Performance improvements & bug fixes
+
## 101.07.23
- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 074b8fc31f..e2bb55c2a6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -41,6 +41,7 @@ Method|Return Type |Description
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
+[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the value of a device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md).
## Properties
@@ -63,3 +64,5 @@ exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evalu
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+deviceValue | Nullable Enum | The value of the device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md). Possible values are: 'Normal', 'Low' and 'High'.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
index 9ccda31130..c086033e55 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP using Configuration Manager
-description: Learn how to manage Microsoft Defender ATP with Configuration Manager
+title: Manage Microsoft Defender for Endpoint using Configuration Manager
+description: Learn how to manage Microsoft Defender for Endpoint with Configuration Manager
keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -13,31 +14,33 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-scenario
ms.topic: article
-ms.date: 09/04/2020
+ms.date: 09/22/2020
ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection with Configuration Manager
+# Manage Microsoft Defender for Endpoint with Configuration Manager
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
We recommend using We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) (Intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints).
- [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
-- [Co-manage Microsoft Defender ATP on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
+- [Co-manage Microsoft Defender for Endpoint on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
-## Configure Microsoft Defender ATP with Configuration Manager
+## Configure Microsoft Defender for Endpoint with Configuration Manager
|Task |Resources to learn more |
|---------|---------|
|**Install the Configuration Manager console** if you don't already have it
*If you don't already have the Configuration Manger console, use these resources to get the bits and install it.* |[Get the installation media](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/get-install-media)
[Install the Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/install-consoles) |
-|**Use Configuration Manager to onboard devices** to Microsoft Defender ATP
*If you have devices (or endpoints) not already onboarded to Microsoft Defender ATP, you can do that with Configuration Manager.* |[Onboard to Microsoft Defender ATP with Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager) |
-|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints)
*Configure endpoint protection features, including Microsoft Defender ATP, exploit protection, application control, antimalware, firewall settings, and more.* |[Configuration Manager: Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection) |
+|**Use Configuration Manager to onboard devices** to Microsoft Defender for Endpoint
*If you have devices (or endpoints) not already onboarded to Microsoft Defender for Endpoint, you can do that with Configuration Manager.* |[Onboard to Microsoft Defender for Endpoint with Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager) |
+|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints)
*Configure endpoint protection features, including Microsoft Defender for Endpoint, exploit protection, application control, antimalware, firewall settings, and more.* |[Configuration Manager: Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection) |
|**Choose methods for updating antimalware updates** on your organization's devices
*With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.* |[Configure definition updates for Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definition-updates)
[Use Configuration Manager to deliver definition updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr) |
|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet
*We recommend using [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection with Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#microsoft-endpoint-configuration-manager) |
|**Configure controlled folder access** to protect against ransomware
*Controlled folder access is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Microsoft Endpoint Configuration Manage](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#microsoft-endpoint-configuration-manager) |
@@ -58,4 +61,4 @@ You can also configure whether and what features end users can see in the Micros
- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-- [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
+- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
index ffc5159b81..512edb5f3c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP using Group Policy Objects
-description: Learn how to manage Microsoft Defender ATP with Group Policy Objects
+title: Manage Microsoft Defender for Endpoint using Group Policy Objects
+description: Learn how to manage Microsoft Defender for Endpoint with Group Policy Objects
keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -13,28 +14,30 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-scenario
ms.topic: article
-ms.date: 09/04/2020
+ms.date: 09/22/2020
ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection with Group Policy Objects
+# Manage Microsoft Defender for Endpoint with Group Policy Objects
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!NOTE]
> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction). **[Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)**.
-You can use Group Policy Objects in Azure Active Directory Domain Services to manage some settings in Microsoft Defender ATP.
+You can use Group Policy Objects in Azure Active Directory Domain Services to manage some settings in Microsoft Defender for Endpoint.
-## Configure Microsoft Defender ATP with Group Policy Objects
+## Configure Microsoft Defender for Endpoint with Group Policy Objects
-The following table lists various tasks you can perform to configure Microsoft Defender ATP with Group Policy Objects.
+The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Group Policy Objects.
|Task |Resources to learn more |
|---------|---------|
@@ -64,4 +67,4 @@ You can also configure whether and what features end users can see in the Micros
- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-- [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
+- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
index 2d23d54ba2..eb630aad88 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP using Intune
-description: Learn how to manage Microsoft Defender ATP with Intune
+title: Manage Microsoft Defender for Endpoint using Intune
+description: Learn how to manage Microsoft Defender for Endpoint with Intune
keywords: post-migration, manage, operations, maintenance, utilization, intune, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -13,25 +14,27 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-scenario
ms.topic: article
-ms.date: 09/04/2020
+ms.date: 09/22/2020
ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection with Intune
+# Manage Microsoft Defender for Endpoint with Intune
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes Microsoft Intune (Intune) to manage your organization's threat protection features for devices (also referred to as endpoints). [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
-This article describes how to find your Microsoft Defender ATP settings in Intune, and lists various tasks you can perform.
+This article describes how to find your Microsoft Defender for Endpoint settings in Intune, and lists various tasks you can perform.
-## Find your Microsoft Defender ATP settings in Intune
+## Find your Microsoft Defender for Endpoint settings in Intune
> [!IMPORTANT]
> You must be a global administrator or service administrator in Intune to configure the settings described in this article. To learn more, see **[Types of administrators (Intune)](https://docs.microsoft.com/mem/intune/fundamentals/users-add#types-of-administrators)**.
@@ -45,20 +48,20 @@ This article describes how to find your Microsoft Defender ATP settings in Intun
4. Select an existing profile, or create a new one.
> [!TIP]
-> Need help? See **[Using Microsoft Defender ATP with Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
+> Need help? See **[Using Microsoft Defender for Endpoint with Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
-## Configure Microsoft Defender ATP with Intune
+## Configure Microsoft Defender for Endpoint with Intune
-The following table lists various tasks you can perform to configure Microsoft Defender ATP with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
+The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
|Task |Resources to learn more |
|---------|---------|
|**Manage your organization's devices using Intune** to protect those devices and data stored on them |[Protect devices with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect) |
-|**Integrate Microsoft Defender ATP with Intune** as a Mobile Threat Defense solution
*(for Android devices and devices running Windows 10 or later)* |[Enforce compliance for Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection) |
-|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) |
-|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)
[Policy CSP - Microsoft Defender ATP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) |
+|**Integrate Microsoft Defender for Endpoint with Intune** as a Mobile Threat Defense solution
*(for Android devices and devices running Windows 10 or later)* |[Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection) |
+|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) |
+|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)
[Policy CSP - Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) |
|**If necessary, specify exclusions for Microsoft Defender Antivirus**
*Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.* |[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers)
[Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions)
[Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|
-|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers
*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)
[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)
[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
+|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers
*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)
[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)
[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations
*Network filtering is also referred to as [network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection).*
*Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
[Review network protection events in Windows Event Viewer](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer) |
|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#intune) |
|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices
*[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) is also referred to as Exploit Guard.* |[Endpoint protection: Microsoft Defender Exploit Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard)
[Enable exploit protection in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection#intune) |
@@ -67,7 +70,7 @@ The following table lists various tasks you can perform to configure Microsoft D
|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[Endpoint protection: Windows Encryption](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#windows-encryption)
[BitLocker for Windows 10 devices](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) |
|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |For Windows 10, Windows Server 2016, and Windows Server 2019, see [Endpoint protection: Microsoft Defender Credential Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard)
For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036) |
|**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices
*Microsoft Defender Application Control is also referred to as [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
[Endpoint protection: Microsoft Defender Application Control](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control)
[AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp)|
-|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices |[Control USB devices and other removable media using Microsoft Defender ATP and Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune) |
+|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices |[Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune) |
## Configure your Microsoft Defender Security Center
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
index e2f1cc83dc..111459747f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP using PowerShell, WMI, and MPCmdRun.exe
-description: Learn how to manage Microsoft Defender ATP with PowerShell, WMI, and MPCmdRun.exe
+title: Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe
+description: Learn how to manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -13,32 +14,34 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-scenario
ms.topic: article
-ms.date: 09/04/2020
+ms.date: 09/22/2020
ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection with PowerShell, WMI, and MPCmdRun.exe
+# Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!NOTE]
> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction).
> - [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
-> - [Co-manage Microsoft Defender ATP on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
-> - [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
+> - [Co-manage Microsoft Defender for Endpoint on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
+> - [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
-You can manage some Microsoft Defender Antivirus settings on devices with [PowerShell](#configure-microsoft-defender-atp-with-powershell), [Windows Management Instrumentation](#configure-microsoft-defender-atp-with-windows-management-instrumentation-wmi) (WMI), and the [Microsoft Malware Protection Command Line Utility](#configure-microsoft-defender-atp-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe) (MPCmdRun.exe). For example, you can manage some Microsoft Defender Antivirus settings. And, in some cases, you can customize your attack surface reduction rules and exploit protection settings.
+You can manage some Microsoft Defender Antivirus settings on devices with [PowerShell](#configure-microsoft-defender-for-endpoint-with-powershell), [Windows Management Instrumentation](#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi) (WMI), and the [Microsoft Malware Protection Command Line Utility](#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe) (MPCmdRun.exe). For example, you can manage some Microsoft Defender Antivirus settings. And, in some cases, you can customize your attack surface reduction rules and exploit protection settings.
> [!IMPORTANT]
> Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.
-## Configure Microsoft Defender ATP with PowerShell
+## Configure Microsoft Defender for Endpoint with PowerShell
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.
@@ -50,9 +53,9 @@ You can use PowerShell to manage Microsoft Defender Antivirus, exploit protectio
|**Enable Network Protection** with PowerShell
*You can use PowerShell to enable Network Protection.* |[Turn on Network Protection with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#powershell) |
|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Enable controlled folder access with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#powershell) |
|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices |[Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker PowerShell reference guide](https://docs.microsoft.com/powershell/module/bitlocker/?view=win10-ps) |
+|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker PowerShell reference guide](https://docs.microsoft.com/powershell/module/bitlocker/?view=win10-ps&preserve-view=true) |
-## Configure Microsoft Defender ATP with Windows Management Instrumentation (WMI)
+## Configure Microsoft Defender for Endpoint with Windows Management Instrumentation (WMI)
WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see [Using WMI](https://docs.microsoft.com/windows/win32/wmisdk/using-wmi).
@@ -62,7 +65,7 @@ WMI is a scripting interface that allows you to retrieve, modify, and update set
|**Retrieve, modify, and update settings** for Microsoft Defender Antivirus | [Use WMI to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus)
[Review the list of available WMI classes and example scripts](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
Also see the archived [Windows Defender WMIv2 Provider reference information](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal?redirectedfrom=MSDN) |
-## Configure Microsoft Defender ATP with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
+## Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
@@ -87,4 +90,4 @@ You can also configure whether and what features end users can see in the Micros
- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-- [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
+- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
index ec99415384..246b542364 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP post migration
-description: Now that you've made the switch to Microsoft Defender ATP, your next step is to manage your threat protection features
+title: Manage Microsoft Defender for Endpoint post migration
+description: Now that you've made the switch to Microsoft Defender for Endpoint, your next step is to manage your threat protection features
keywords: post-migration, manage, operations, maintenance, utilization, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -13,21 +14,23 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- M365-security-compliance
+- m365solution-scenario
ms.topic: conceptual
-ms.date: 09/04/2020
+ms.date: 09/22/2020
ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection, post migration
+# Manage Microsoft Defender for Endpoint, post migration
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender ATP, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy).
+After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy).
The following table lists various tools/methods you can use, with links to learn more.
@@ -35,8 +38,8 @@ The following table lists various tools/methods you can use, with links to learn
|Tool/Method |Description |
|---------|---------|
|**[Threat and vulnerability management dashboard insights](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) |The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture.
See [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) and [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). |
-|**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications.
See [Manage Microsoft Defender ATP using Intune](manage-atp-post-migration-intune.md). |
-|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Configuration Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.
See [Manage Microsoft Defender ATP with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
-|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).
See [Manage Microsoft Defender ATP with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
-|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender ATP with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-atp-with-powershell).
You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender ATP with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-atp-with-windows-management-instrumentation-wmi).
You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender ATP with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-atp-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
+|**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications.
See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md). |
+|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Configuration Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.
See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
+|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).
See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
+|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).
You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).
You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 116cc0e459..ab130cb910 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -13,7 +13,9 @@ author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
ms.date: 09/15/2020
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
index 1755204179..458c0798ce 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
@@ -14,7 +14,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 05f77e6b94..04dc76e4e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -13,9 +13,10 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
-ms.date: 10/08/2018
---
# Manage Microsoft Defender ATP incidents
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
index 87e7025713..e9fa0412b0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
@@ -1,10 +1,11 @@
---
-title: Migrate from McAfee to Microsoft Defender ATP
-description: Make the switch from McAfee to Microsoft Defender ATP. Read this article for an overview.
+title: Migrate from McAfee to Microsoft Defender for Endpoint
+description: Make the switch from McAfee to Microsoft Defender for Endpoint. Read this article for an overview.
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -19,7 +20,7 @@ ms.collection:
- m365solution-overview
ms.topic: conceptual
ms.custom: migrationguides
-ms.date: 09/03/2020
+ms.date: 09/22/2020
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
@@ -28,21 +29,21 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration.
+If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration.
## The migration process
-When you switch from McAfee to Microsoft Defender ATP, you follow a process that can be divided into three phases, as described in the following table:
+When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
|Phase |Description |
|--|--|
-|[](mcafee-to-microsoft-defender-prepare.md)
[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP. |
-|[](mcafee-to-microsoft-defender-setup.md)
[Set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[](mcafee-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender ATP is in active mode. |
+|[](mcafee-to-microsoft-defender-prepare.md)
[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
+|[](mcafee-to-microsoft-defender-setup.md)
[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[](mcafee-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
-## What's included in Microsoft Defender ATP?
+## What's included in Microsoft Defender for Endpoint?
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP.
+In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
| Feature/Capability | Description |
|---|---|
@@ -55,7 +56,7 @@ In this migration guide, we focus on [next-generation protection](https://docs.m
| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).**
+**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
## Next step
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
index 07b9363521..d38a5977e8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
@@ -1,10 +1,11 @@
---
-title: McAfee to Microsoft Defender ATP - Onboard
-description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender ATP.
+title: McAfee to Microsoft Defender for Endpoint - Onboard
+description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender for Endpoint.
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -16,13 +17,14 @@ audience: ITPro
ms.collection:
- M365-security-compliance
- m365solution-McAfeemigrate
+- m365solution-scenario
ms.custom: migrationguides
ms.topic: article
-ms.date: 09/03/2020
+ms.date: 09/24/2020
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
-# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender ATP
+# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@@ -32,14 +34,14 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
|| |*You are here!* |
-**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
+**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
-1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp).
+1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
2. [Run a detection test](#run-a-detection-test).
3. [Uninstall McAfee](#uninstall-mcafee).
-4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode).
+4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
-## Onboard devices to Microsoft Defender ATP
+## Onboard devices to Microsoft Defender for Endpoint
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
@@ -47,7 +49,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
3. In the **Select operating system to start onboarding process** list, select an operating system.
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods).
+4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
### Onboarding methods
@@ -63,33 +65,33 @@ Deployment methods vary, depending on which operating system is selected. Refer
## Run a detection test
-To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test.
+To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
|Operating system |Guidance |
|---------|---------|
-|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
+|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
## Uninstall McAfee
-Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall McAfee.
+Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall McAfee.
-To get help with this step, go to your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
+To get help with this step, go to your McAfee ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
-## Make sure Microsoft Defender ATP is in active mode
+## Make sure Microsoft Defender for Endpoint is in active mode
Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
-To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
- Cloud-delivered protection
- Potentially Unwanted Applications (PUA)
- Network Protection (NP)
## Next steps
-**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
index 91961c7159..fe973d1a59 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
@@ -1,10 +1,11 @@
---
-title: McAfee to Microsoft Defender ATP - Prepare
+title: McAfee to Microsoft Defender for Endpoint - Prepare
description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender ATP.
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -16,9 +17,10 @@ audience: ITPro
ms.collection:
- M365-security-compliance
- m365solution-mcafeemigrate
+- m365solution-scenario
ms.topic: article
ms.custom: migrationguides
-ms.date: 09/03/2020
+ms.date: 09/22/2020
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
@@ -32,11 +34,11 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
|*You are here!*| | |
-**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
+**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
This migration phase includes the following steps:
1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
-2. [Get Microsoft Defender ATP](#get-microsoft-defender-atp).
+2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
@@ -68,15 +70,15 @@ Need help updating your organization's devices? See the following resources:
|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
-## Get Microsoft Defender ATP
+## Get Microsoft Defender for Endpoint
Now that you've updated your organization's devices, the next step is to get Microsoft Defender ATP, assign licenses, and make sure the service is provisioned.
-1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp).
+1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
@@ -117,6 +119,6 @@ To enable communication between your devices and Microsoft Defender ATP, configu
## Next step
-**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-- [Proceed to set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md).
+- [Proceed to set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
index 90f4176e55..8813e53523 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
@@ -1,10 +1,11 @@
---
-title: McAfee to Microsoft Defender ATP - Setup
-description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender ATP.
+title: McAfee to Microsoft Defender for Endpoint - Setup
+description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender for Endpoint.
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,14 +16,15 @@ manager: dansimp
audience: ITPro
ms.collection:
- M365-security-compliance
-- m365solution-mcafeemigrate
+- m365solution-mcafeemigrate
+- m365solution-scenario
ms.topic: article
ms.custom: migrationguides
-ms.date: 09/15/2020
+ms.date: 09/22/2020
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
-# Migrate from McAfee - Phase 2: Set up Microsoft Defender ATP
+# Migrate from McAfee - Phase 2: Set up Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@@ -35,9 +37,9 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-3. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-atp-to-the-exclusion-list-for-mcafee).
+3. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee).
4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus).
-5. [Add McAfee to the exclusion list for Microsoft Defender ATP](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-atp).
+5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
@@ -149,9 +151,9 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
-## Add Microsoft Defender ATP to the exclusion list for McAfee
+## Add Microsoft Defender for Endpoint to the exclusion list for McAfee
-This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for McAfee and any other security products your organization is using.
+This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for McAfee and any other security products your organization is using.
> [!TIP]
> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
@@ -183,7 +185,7 @@ You can choose from several methods to add your exclusions to Microsoft Defender
|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-## Add McAfee to the exclusion list for Microsoft Defender ATP
+## Add McAfee to the exclusion list for Microsoft Defender for Endpoint
To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
@@ -251,6 +253,6 @@ Using Configuration Manager and your device collection(s), configure your antima
## Next step
-**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md)
+- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
index a382a8463d..4b4a872950 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
index c82a60cb3c..118ea48672 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
@@ -14,7 +14,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -32,9 +34,9 @@ ms.topic: conceptual
The public preview of Microsoft Defender ATP for iOS will offer protection
-against phishing and unsafe network connections from websites, emails and apps.
+against phishing and unsafe network connections from websites, emails, and apps.
All alerts will be available through a single pane of glass in the Microsoft
-Defender Security Center, giving security teams a centralized view of threats on
+Defender Security Center. The portal gives security teams a centralized view of threats on
iOS devices along with other platforms.
## Pre-requisites
@@ -72,4 +74,5 @@ iOS devices along with other platforms.
## Next steps
-Microsoft Defender for Endpoint capabilities for iOS will be released into public preview in the coming weeks. At that time, we will publish additional deployment and configuration information. Please check back here in a few weeks.
+- [Deploy Microsoft Defender ATP for iOS](ios-install.md)
+- [Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
index 1e0b400707..ea21452763 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index 90fef9d116..06899fd04e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -14,7 +14,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -70,6 +72,18 @@ Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
+### Licensing requirements
+
+Microsoft Defender Advanced Threat Protection for Mac requires one of the following Microsoft Volume Licensing offers:
+
+- Microsoft 365 E5 (M365 E5)
+- Microsoft 365 E5 Security
+- Microsoft 365 A5 (M365 A5)
+
+> [!NOTE]
+> Eligible licensed users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
+> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
+
### Network connections
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
index ee826bd394..e04a02313b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index ecb755c220..4aed901842 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -14,7 +14,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -35,9 +37,12 @@ Watch this video for a quick overview of Microsoft Threat Experts.
## Before you begin
+> [!NOTE]
+> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
+
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
+If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
## Targeted attack notification
Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
index f455a605a9..308308a4d0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
@@ -1,36 +1,40 @@
---
-title: Make the switch to Microsoft Defender ATP
-description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender ATP
+title: Migration guides to make the switch to Microsoft Defender for Endpoint
+description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint
search.appverid: MET150
author: denisebmsft
ms.author: deniseb
manager: dansimp
audience: ITPro
ms.topic: conceptual
-ms.date: 09/08/2020
ms.prod: w10
ms.localizationpriority: medium
ms.collection:
- M365-security-compliance
+- m365solution-scenario
ms.custom: migrationguides
ms.reviewer: chriggs, depicker, yongrhee
f1.keywords: NOCSH
+ms.date: 09/24/2020
---
-# Make the switch to Microsoft Defender ATP and Microsoft Defender Antivirus
+# Make the switch to Microsoft Defender for Endpoint and Microsoft Defender Antivirus
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
## Migration guides
-If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Defender Antivirus, check out our migration guidance.
+If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint with Microsoft Defender Antivirus, check out our migration guidance. Select the scenario that best represents where you are in your deployment process, and see the guidance.
-- [McAfee Endpoint Security (McAfee) to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md)
-
-- [Symantec Endpoint Protection (Symantec) to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md)
-
-- [Manage Microsoft Defender Advanced Threat Protection, after you've migrated](manage-atp-post-migration.md)
+|Scenario |Guidance |
+|:--|:--|
+|You do not have an endpoint protection solution yet, and you want to know more about how Microsoft Defender for Endpoint & Microsoft Defender Antivirus work. |[Microsoft Defender ATP evaluation lab](evaluation-lab.md) |
+|You have Microsoft Defender for Endpoint & Microsoft Defender Antivirus and need some help getting everything set up and configured. |[Microsoft Defender Advanced Threat Protection deployment guide](deployment-phases.md) |
+|You're planning to migrate from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md) |
+|You're planning to migrate from Symantec Endpoint Protection (Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md) |
+|You're planning to migrate from a non-Microsoft endpoint protection solution (other than McAfee or Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |
+|You've migrated to Microsoft Defender for Endpoint & Microsoft Defender Antivirus, and you need help with next steps, such as configuring additional features or fine-tuning your security settings. | [Manage Microsoft Defender for Endpoint, post-migration](manage-atp-post-migration.md) |
## Got feedback?
@@ -39,8 +43,6 @@ Let us know what you think! Submit your feedback at the bottom of the page. We'l
## See also
-- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection)
-
-- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
-
-- [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?)
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection)
+- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
+- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 546cc62c58..3e712cd6f9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -61,7 +61,7 @@ For detailed licensing information, see the [Product Terms site](https://www.mic
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
-For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559).
+For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wfbdevicemanagementprod.blob.core.windows.net/windowsforbusiness/Windows10_CommercialEdition_Comparison.pdf).
## Browser requirements
Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
@@ -80,12 +80,11 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
- Windows 7 SP1 Pro
- Windows 8.1 Enterprise
- Windows 8.1 Pro
-- Windows 10, version 1607 or later
- - Windows 10 Enterprise
- - [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/)
- - Windows 10 Education
- - Windows 10 Pro
- - Windows 10 Pro Education
+- Windows 10 Enterprise
+- [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/)
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
- Windows server
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
@@ -107,13 +106,12 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for
### Other supported operating systems
- Android
-- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
+- Linux
- macOS
> [!NOTE]
> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.
->
-> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux.
+
### Network and data storage and configuration requirements
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 9286621ecb..a0f4515971 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -86,11 +86,7 @@ Watch this video for a comprehensive walk-through of threat and vulnerability ma
Ensure that your devices:
- Are onboarded to Microsoft Defender Advanced Threat Protection
-- Run with Windows 10 1709 (Fall Creators Update) or later
-
->[!NOTE]
->Threat and vulnerability management can also scan devices that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
-
+- Run [supported operating systems and platforms](tvm-supported-os.md)
- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
> Release | Security update KB number and link
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
index d839dabec7..c09d936fcd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
@@ -14,7 +14,8 @@ manager: dansimp
audience: ITPro
ms.collection:
- M365-security-compliance
-- m365solution-endpointprotect
+- m365solution-endpointprotect
+- m365solution-scenario
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
index 31593b47cc..76f2c2c7e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
@@ -14,7 +14,8 @@ manager: dansimp
audience: ITPro
ms.collection:
- M365-security-compliance
-- m365solution-endpointprotect
+- m365solution-endpointprotect
+- m365solution-scenario
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index feeca610db..6ac048cf9d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -14,7 +14,8 @@ manager: dansimp
audience: ITPro
ms.collection:
- M365-security-compliance
-- m365solution-endpointprotect
+- m365solution-endpointprotect
+- m365solution-scenario
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index 1217b7de99..9e4e98ffb5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -15,7 +15,8 @@ manager: dansimp
audience: ITPro
ms.collection:
- M365-security-compliance
-- m365solution-endpointprotect
+- m365solution-endpointprotect
+- m365solution-scenario
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 3e747e8768..4443433ac4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -21,6 +23,8 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+>[!IMPORTANT]
+>The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -51,13 +55,12 @@ Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release:
- [Microsoft Defender ATP for iOS](microsoft-defender-atp-ios.md)
Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS.
+
- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
- - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
+- [Web Content Filtering](web-content-filtering.md)
Web content filtering is part of web protection capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your device to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
-
- - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
+ - [Threat and vulnerability management supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
- [Device health and compliance report](machine-reports.md)
The device health and compliance report provides high-level information about the devices in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 6e8ce89f59..4a974f0e24 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -15,7 +15,8 @@ manager: dansimp
audience: ITPro
ms.collection:
- M365-security-compliance
-- m365solution-endpointprotect
+- m365solution-endpointprotect
+- m365solution-scenario
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index 38400901cd..078b9f44ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -71,7 +71,7 @@ You'll use the access token to access the protected resource, which are detectio
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
-```syntax
+```http
POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
@@ -124,14 +124,14 @@ CloudCreatedMachineTags | string | Device tags that were created in Microsoft De
### Request example
The following example demonstrates how to retrieve all the detections in your organization.
-```syntax
+```http
GET https://wdatp-alertexporter-eu.windows.com/api/alerts
Authorization: Bearer
```
The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00.
-```syntax
+```http
GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
Authorization: Bearer
```
@@ -142,39 +142,60 @@ The return value is an array of alert objects in JSON format.
Here is an example return value:
```json
-{"AlertTime":"2017-01-23T07:32:54.1861171Z",
-"ComputerDnsName":"desktop-bvccckk",
-"AlertTitle":"Suspicious PowerShell commandline",
-"Category":"SuspiciousActivity",
-"Severity":"Medium",
-"AlertId":"636207535742330111_-1114309685",
-"Actor":null,
-"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
-"IocName":null,
-"IocValue":null,
-"CreatorIocName":null,
-"CreatorIocValue":null,
-"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
-"FileName":"powershell.exe",
-"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
-"IpAddress":null,
-"Url":null,
-"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
-"UserName":null,
-"AlertPart":0,
-"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
-"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
-"ThreatCategory":null,
-"ThreatFamily":null,
-"ThreatName":null,
-"RemediationAction":null,
-"RemediationIsSuccess":null,
-"Source":"Microsoft Defender ATP",
-"Md5":null,
-"Sha256":null,
-"WasExecutingWhileDetected":null,
-"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
-"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
+[
+{
+ "AlertTime": "2020-09-30T14:09:20.35743Z",
+ "ComputerDnsName": "mymachine1.domain.com",
+ "AlertTitle": "Suspicious File Activity",
+ "Category": "Malware",
+ "Severity": "High",
+ "AlertId": "da637370718981685665_16349121",
+ "Actor": "",
+ "LinkToWDATP": "https://securitycenter.windows.com/alert/da637370718981685665_16349121",
+ "IocName": "",
+ "IocValue": "",
+ "CreatorIocName": "",
+ "CreatorIocValue": "",
+ "Sha1": "aabbccddee1122334455aabbccddee1122334455",
+ "FileName": "cmdParent.exe",
+ "FilePath": "C:\\WINDOWS\\SysWOW64\\boo3\\qwerty",
+ "IpAddress": "",
+ "Url": "",
+ "IoaDefinitionId": "b20af1d2-5990-4672-87f1-acc2a8ff7725",
+ "UserName": "",
+ "AlertPart": 0,
+ "FullId": "da637370718981685665_16349121:R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=",
+ "LastProcessedTimeUtc": "2020-09-30T14:11:44.0779765Z",
+ "ThreatCategory": "",
+ "ThreatFamily": "",
+ "ThreatName": "",
+ "RemediationAction": "",
+ "RemediationIsSuccess": null,
+ "Source": "EDR",
+ "Md5": "854b85cbff2752fcb88606bca76f83c6",
+ "Sha256": "",
+ "WasExecutingWhileDetected": null,
+ "UserDomain": "",
+ "LogOnUsers": "",
+ "MachineDomain": "domain.com",
+ "MachineName": "mymachine1",
+ "InternalIPv4List": "",
+ "InternalIPv6List": "",
+ "FileHash": "aabbccddee1122334455aabbccddee1122334455",
+ "DeviceID": "deadbeef000040830ee54503926f556dcaf82bb0",
+ "MachineGroup": "",
+ "Description": "Test Alert",
+ "DeviceCreatedMachineTags": "",
+ "CloudCreatedMachineTags": "",
+ "CommandLine": "",
+ "IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM",
+ "ReportID": 1053729833,
+ "LinkToMTP": "https://security.microsoft.com/alert/da637370718981685665_16349121",
+ "IncidentLinkToMTP": "https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM",
+ "ExternalId": "31DD0A845DDA4059FDEDE031014645350AECABD3",
+ "IocUniqueId": "R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY="
+}
+]
```
## Code examples
diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
index b956165700..55fe2974c7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
@@ -11,7 +11,9 @@ author: danihalfin
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
ms.date: 5/1/2020
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index a902dc094d..1d8c035b5c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -29,7 +29,9 @@ ms.topic: article
## Limitations
1. You can only run a query on data from the last 30 days.
2. The results will include a maximum of 100,000 rows.
-3. The number of executions is limited per tenant: up to 10 calls per minute, 10 minutes of running time every hour and 4 hours of running time a day.
+3. The number of executions is limited per tenant:
+ - API calls: Up to 15 calls per minute
+ - Execution time: 10 minutes of running time every hour and 4 hours of running time a day
4. The maximal execution time of a single request is 10 minutes.
5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index 257fb9494d..a40530476f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
new file mode 100644
index 0000000000..65012f7ca0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
@@ -0,0 +1,78 @@
+---
+title: Set device value API
+description: Learn how to specify the value of a device using a Microsoft Defender Advanced Threat Protection API.
+keywords: apis, graph api, supported apis, tags, machine tags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Set device value API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+## API description
+
+Set the device value of a specific [Machine](machine.md).
+See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md) for more information.
+
+## Limitations
+
+1. You can post on devices last seen according to your configured retention period.
+
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>
+>- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+
+## HTTP request
+
+```http
+POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/setDeviceValue
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+
+```json
+{
+ "DeviceValue": "{device value}"
+}
+```
+
+## Response
+
+If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
new file mode 100644
index 0000000000..c9b60c2b17
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
@@ -0,0 +1,63 @@
+---
+title: Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
+description: Make the switch to Microsoft Defender for Endpoint. Read this article for an overview.
+keywords: migration, windows defender advanced endpoint protection, for Endpoint, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-migratetomdatp
+- m365solution-overview
+ms.topic: conceptual
+ms.custom: migrationguides
+ms.date: 09/24/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
+
+If you are planning to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), and you're looking for help, you're in the right place. Use this article as a guide to plan your migration.
+
+> [!TIP]
+> - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md).
+> - If you're currently using Symantec Endpoint Protection (Symantec), see [Migrate from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md).
+
+## The migration process
+
+When you switch to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
+
+|Phase |Description |
+|--|--|
+|[](switch-to-microsoft-defender-prepare.md)
[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
+|[](switch-to-microsoft-defender-setup.md)
[Set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and your existing endpoint protection solution. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[](switch-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall your existing endpoint protection solution and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
+
+## What's included in Microsoft Defender for Endpoint?
+
+In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
+
+| Feature/Capability | Description |
+|---|---|
+| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
+| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
+| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
+| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
+| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
+| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
+| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
+
+**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
+
+## Next step
+
+- Proceed to [Prepare for your migration](switch-to-microsoft-defender-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
new file mode 100644
index 0000000000..4852139083
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
@@ -0,0 +1,93 @@
+---
+title: Switch to Microsoft Defender for Endpoint - Onboard
+description: This is phase 3, Onboard, for migrating from a non-Microsoft solution to Microsoft Defender for Endpoint.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-migratetomdatp
+ms.custom: migrationguides
+ms.topic: article
+ms.date: 09/24/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Switch to Microsoft Defender for Endpoint - Phase 3: Onboard
+
+|[](switch-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[](switch-to-microsoft-defender-setup.md)
[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |
Phase 3: Onboard |
+|--|--|--|
+|| |*You are here!* |
+
+
+**Welcome to Phase 3 of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
+
+1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
+2. [Run a detection test](#run-a-detection-test).
+3. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).
+4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
+
+## Onboard devices to Microsoft Defender for Endpoint
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. Choose **Settings** > **Device management** > **Onboarding**.
+
+3. In the **Select operating system to start onboarding process** list, select an operating system.
+
+4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
+
+### Onboarding methods
+
+Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
+
+|Operating system |Method |
+|---------|---------|
+|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
+|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
+|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
+
+## Run a detection test
+
+To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
+
+
+|Operating system |Guidance |
+|---------|---------|
+|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
+|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
+
+## Uninstall your non-Microsoft solution
+
+Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall your non-Microsoft endpoint protection solution.
+
+To get help with this step, reach out to your solution provider's technical support team.
+
+## Make sure Microsoft Defender for Endpoint is in active mode
+
+Now that you have uninstalled your non-Microsoft endpoint protection solution, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
+
+To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+- Cloud-delivered protection
+- Potentially Unwanted Applications (PUA)
+- Network Protection (NP)
+
+## Next steps
+
+**Congratulations**! You have completed your [migration to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
new file mode 100644
index 0000000000..5896bc9f4e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
@@ -0,0 +1,114 @@
+---
+title: Switch to Microsoft Defender for Endpoint - Prepare
+description: This is phase 1, Prepare, for migrating to Microsoft Defender for Endpoint.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-migratetomdatp
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/22/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Switch to Microsoft Defender for Endpoint - Phase 1: Prepare
+
+|
Phase 1: Prepare |[](switch-to-microsoft-defender-setup.md)
[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[](switch-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
+|--|--|--|
+|*You are here!*| | |
+
+
+**Welcome to the Prepare phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**.
+
+This migration phase includes the following steps:
+1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
+2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
+3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
+4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
+
+## Get and deploy updates across your organization's devices
+
+As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
+
+### Make sure your existing solution is up to date
+
+Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates.
+
+Need help? See your solution provider's documentation.
+
+### Make sure your organization's devices are up to date
+
+Need help updating your organization's devices? See the following resources:
+
+|OS | Resource |
+|:--|:--|
+|Windows |[Microsoft Update](https://www.update.microsoft.com) |
+|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
+|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
+|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
+|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
+
+## Get Microsoft Defender for Endpoint
+
+Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned.
+
+1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
+
+2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
+
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
+
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
+
+At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+
+> [!NOTE]
+> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal, and can be accessed at [https://aka.ms/MDATPportal](https://aka.ms/MDATPportal).
+
+## Grant access to the Microsoft Defender Security Center
+
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
+
+Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
+
+1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
+
+2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
+
+ If your organization requires a method other than Intune, choose one of the following options:
+ - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
+ - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
+ - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
+
+3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
+
+## Configure device proxy and internet connectivity settings
+
+To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+
+|Capabilities | Operating System | Resources |
+|--|--|--|
+|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
+|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
+|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
+|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
+
+## Next step
+
+**Congratulations**! You have completed the **Prepare** phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
new file mode 100644
index 0000000000..b8c66898af
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
@@ -0,0 +1,254 @@
+---
+title: Switch to Microsoft Defender for Endpoint - Setup
+description: This is phase 2, Setup, for switching to Microsoft Defender for Endpoint.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-migratetomdatp
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/22/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Switch to Microsoft Defender for Endpoint - Phase 2: Setup
+
+|[](switch-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](switch-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
+|--|--|--|
+||*You are here!* | |
+
+
+**Welcome to the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
+1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
+2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+3. [Add Microsoft Defender for Endpoint to the exclusion list for your existing endpoint solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).
+4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus).
+5. [Add your existing solution to the exclusion list for Microsoft Defender for Endpoint](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
+6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+
+## Enable Microsoft Defender Antivirus and confirm it's in passive mode
+
+On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
+
+This step of the migration process includes the following tasks:
+- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
+- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
+- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
+- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and
+- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
+
+### Set DisableAntiSpyware to false on Windows Server
+
+The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
+
+1. On your Windows Server device, open Registry Editor.
+
+2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
+
+3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
+
+ - If you do not see that entry, you're all set.
+
+ - If you do see **DisableAntiSpyware**, proceed to step 4.
+
+4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
+
+5. Set the value to `0`. (This sets the registry key's value to *false*.)
+
+> [!TIP]
+> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
+
+### Reinstall Microsoft Defender Antivirus on Windows Server
+
+> [!NOTE]
+> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
+> - Windows Server 2019
+> - Windows Server, version 1803 (core-only mode)
+> - Windows Server 2016
+
+1. As a local administrator on the endpoint or device, open Windows PowerShell.
+
+2. Run the following PowerShell cmdlets:
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+
+3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
+
+ `Get-Service -Name windefend`
+
+> [!TIP]
+> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+
+### Set Microsoft Defender Antivirus to passive mode on Windows Server
+
+Because your organization is still using your existing endpoint protection solution, you must set Microsoft Defender Antivirus to passive mode. That way, your existing solution and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
+
+1. Open Registry Editor, and then navigate to
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
+
+2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
+
+ - Set the DWORD's value to **1**.
+
+ - Under **Base**, select **Hexadecimal**.
+
+> [!NOTE]
+> You can use other methods to set the registry key, such as the following:
+>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
+
+### Enable Microsoft Defender Antivirus on your Windows client devices
+
+Because your organization has been using a non-Microsoft antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
+
+To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
+
+|Method |What to do |
+|---------|---------|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+
+### Confirm that Microsoft Defender Antivirus is in passive mode
+
+Microsoft Defender Antivirus can run alongside your existing endpoint protection solution if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+
+|Method |What to do |
+|---------|---------|
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+
+> [!NOTE]
+> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
+
+## Get updates for Microsoft Defender Antivirus
+
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+- Security intelligence updates
+- Product updates
+
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+
+## Add Microsoft Defender for Endpoint to the exclusion list for your existing solution
+
+This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using.
+
+> [!TIP]
+> To get help configuring exclusions, refer to your solution provider's documentation.
+
+The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+
+|OS |Exclusions |
+|--|--|
+|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
+|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+
+## Add your existing solution to the exclusion list for Microsoft Defender Antivirus
+
+During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list.
+
+When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+- Path exclusions exclude specific files and whatever those files access.
+- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
+- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
+- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
+
+You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
+
+|Method | What to do|
+|--|--|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+
+## Add your existing solution to the exclusion list for Microsoft Defender for Endpoint
+
+To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
+
+3. On the **File hashes** tab, choose **Add indicator**.
+
+3. On the **Indicator** tab, specify the following settings:
+ - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
+ - Under **Expires on (UTC)**, choose **Never**.
+
+4. On the **Action** tab, specify the following settings:
+ - **Response Action**: **Allow**
+ - Title and description
+
+5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
+
+6. On the **Summary** tab, review the settings, and then click **Save**.
+
+### Find a file hash using CMPivot
+
+CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
+
+To use CMPivot to get your file hash, follow these steps:
+
+1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
+
+2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
+
+3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
+
+4. Select the **Query** tab.
+
+5. In the **Device Collection** list, and choose **All Systems (default)**.
+
+6. In the query box, type the following query:
+
+```kusto
+File(c:\\windows\\notepad.exe)
+| project Hash
+```
+> [!NOTE]
+> In the query above, replace *notepad.exe* with the your third-party security product process name.
+
+## Set up your device groups, device collections, and organizational units
+
+| Collection type | What to do |
+|--|--|
+|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
+|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+
+## Configure antimalware policies and real-time protection
+
+Using Configuration Manager and your device collection(s), configure your antimalware policies.
+
+- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
+
+- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
+
+> [!TIP]
+> You can deploy the policies before your organization's devices on onboarded.
+
+## Next step
+
+**Congratulations**! You have completed the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
index d836b3c2a9..371f380e63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
@@ -1,10 +1,11 @@
---
-title: Migrate from Symantec to Microsoft Defender ATP
-description: Get an overview of how to make the switch from Symantec to Microsoft Defender ATP
+title: Migrate from Symantec to Microsoft Defender for Endpoint
+description: Get an overview of how to make the switch from Symantec to Microsoft Defender for Endpoint
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -18,31 +19,31 @@ ms.collection:
- m365solution-symantecmigrate
- m365solution-overview
ms.topic: conceptual
-ms.date: 09/04/2020
+ms.date: 09/22/2020
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
-# Migrate from Symantec to Microsoft Defender Advanced Threat Protection
+# Migrate from Symantec to Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration.
+If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), you're in the right place. Use this article as a guide to plan your migration.
## The migration process
-When you switch from Symantec to Microsoft Defender ATP, you follow a process that can be divided into three phases, as described in the following table:
+When you switch from Symantec to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
|Phase |Description |
|--|--|
-|[](symantec-to-microsoft-defender-atp-prepare.md)
[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP. |
-|[](symantec-to-microsoft-defender-atp-setup.md)
[Set up Microsoft Defender ATP](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[](symantec-to-microsoft-defender-atp-onboard.md)
[Onboard to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall Symantec and make sure protection through Microsoft Defender ATP is in active mode. |
+|[](symantec-to-microsoft-defender-atp-prepare.md)
[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
+|[](symantec-to-microsoft-defender-atp-setup.md)
[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[](symantec-to-microsoft-defender-atp-onboard.md)
[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode. |
-## What's included in Microsoft Defender ATP?
+## What's included in Microsoft Defender for Endpoint?
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP.
+In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
| Feature/Capability | Description |
|---|---|
@@ -55,7 +56,7 @@ In this migration guide, we focus on [next-generation protection](https://docs.m
| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).**
+**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
## Next step
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
index 442d022d8e..38143cfd5f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@@ -1,10 +1,11 @@
---
-title: Symantec to Microsoft Defender ATP - Phase 3, Onboarding
-description: This is Phase 3, Onboarding, of migrating from Symantec to Microsoft Defender ATP
+title: Symantec to Microsoft Defender for Endpoint - Phase 3, Onboarding
+description: This is Phase 3, Onboarding, of migrating from Symantec to Microsoft Defender for Endpoint
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -17,12 +18,12 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
-ms.date: 09/04/2020
+ms.date: 09/24/2020
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
-# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP
+# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@@ -32,14 +33,14 @@ ms.reviewer: depicker, yongrhee, chriggs
|| |*You are here!* |
-**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps:
+**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps:
-1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp).
+1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
2. [Run a detection test](#run-a-detection-test).
3. [Uninstall Symantec](#uninstall-symantec).
-4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode).
+4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
-## Onboard devices to Microsoft Defender ATP
+## Onboard devices to Microsoft Defender for Endpoint
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
@@ -47,7 +48,7 @@ ms.reviewer: depicker, yongrhee, chriggs
3. In the **Select operating system to start onboarding process** list, select an operating system.
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods).
+4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
### Onboarding methods
@@ -63,7 +64,7 @@ Deployment methods vary, depending on which operating system is selected. Refer
## Run a detection test
-To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test.
+To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
|Operating system |Guidance |
@@ -74,7 +75,7 @@ To verify that your onboarded devices are properly connected to Microsoft Defend
## Uninstall Symantec
-Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall Symantec.
+Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall Symantec.
1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec.
@@ -83,24 +84,25 @@ Now that you have onboarded your organization's devices to Microsoft Defender AT
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**.
-3. Remove Symantec from your devices. If you need help with this, see the following Broadcom resources:
+3. Remove Symantec from your devices. If you need help with this, see Broadcom's documentation. Here are a few Broadcom resources:
- [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
- Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
- macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
- Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
-## Make sure Microsoft Defender ATP is in active mode
+## Make sure Microsoft Defender for Endpoint is in active mode
-Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
+Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
-To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
- Cloud-delivered protection
- Potentially Unwanted Applications (PUA)
- Network Protection (NP)
## Next steps
-**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
+**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
+
+- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
index 6159c4adbd..cc678c90eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
@@ -1,10 +1,11 @@
---
-title: Symantec to Microsoft Defender ATP - Phase 1, Preparing
-description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender ATP.
+title: Symantec to Microsoft Defender for Endpoint - Phase 1, Preparing
+description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender for Endpoint.
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -17,7 +18,7 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
-ms.date: 09/04/2020
+ms.date: 09/22/2020
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
@@ -32,33 +33,33 @@ ms.reviewer: depicker, yongrhee, chriggs
|*You are here!*| | |
-**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**.
+**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**.
This migration phase includes the following steps:
-1. [Get Microsoft Defender ATP](#get-microsoft-defender-atp).
+1. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
-## Get Microsoft Defender ATP
+## Get Microsoft Defender for Endpoint
-To get started, you must have Microsoft Defender ATP, with licenses assigned and provisioned.
+To get started, you must have Microsoft Defender for Endpoint, with licenses assigned and provisioned.
-1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp).
+1. Buy or try Microsoft Defender for Endpoint today. [Visit Microsoft Defender for Endpoint to start a free trial or request a quote](https://aka.ms/mdatp).
2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal.
+> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal.
## Grant access to the Microsoft Defender Security Center
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
@@ -75,19 +76,19 @@ Permissions to the Microsoft Defender Security Center can be granted by using ei
## Configure device proxy and internet connectivity settings
-To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
|Capabilities | Operating System | Resources |
-|--|--|--|
+|:----|:----|:---|
|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections)
+|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
## Next step
-**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
+**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-- [Proceed to set up Microsoft Defender ATP](symantec-to-microsoft-defender-atp-setup.md).
+- [Proceed to set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index c0601a22de..f36e72d95c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -1,10 +1,11 @@
---
-title: Symantec to Microsoft Defender ATP - Phase 2, Setting Up
-description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender ATP
+title: Symantec to Microsoft Defender for Endpoint - Phase 2, Setting Up
+description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender for Endpoint
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -17,12 +18,12 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
-ms.date: 09/04/2020
+ms.date: 09/24/2020
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
-# Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP
+# Migrate from Symantec - Phase 2: Set up Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@@ -32,14 +33,15 @@ ms.reviewer: depicker, yongrhee, chriggs
||*You are here!* | |
-**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps:
+**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps:
1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows).
2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
-3. [Add Microsoft Defender ATP to the exclusion list for Symantec](#add-microsoft-defender-atp-to-the-exclusion-list-for-symantec).
-4. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
-5. [Add Symantec to the exclusion list for Microsoft Defender ATP](#add-symantec-to-the-exclusion-list-for-microsoft-defender-atp).
-6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+3. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+4. [Add Microsoft Defender for Endpoint to the exclusion list for Symantec](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-symantec).
+5. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
+6. [Add Symantec to the exclusion list for Microsoft Defender for Endpoint](#add-symantec-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
+7. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+8. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
## Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)
@@ -48,7 +50,7 @@ ms.reviewer: depicker, yongrhee, chriggs
On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-Now that you're moving from Symantec to Microsoft Defender ATP, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode.
+Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode.
### Reinstall Microsoft Defender Antivirus on Windows Server
@@ -74,7 +76,7 @@ Now that you're moving from Symantec to Microsoft Defender ATP, you'll need to e
### Set Microsoft Defender Antivirus to passive mode on Windows Server
-Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP.
+Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
1. Open Registry Editor, and then navigate to
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
@@ -113,9 +115,19 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-## Add Microsoft Defender ATP to the exclusion list for Symantec
+## Get updates for Microsoft Defender Antivirus
-This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+- Security intelligence updates
+- Product updates
+
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+
+## Add Microsoft Defender for Endpoint to the exclusion list for Symantec
+
+This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
|OS |Exclusions |
|--|--|
@@ -145,9 +157,9 @@ You can choose from several methods to add your exclusions to Microsoft Defender
|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-## Add Symantec to the exclusion list for Microsoft Defender ATP
+## Add Symantec to the exclusion list for Microsoft Defender for Endpoint
-To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
+To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
@@ -213,6 +225,6 @@ Using Configuration Manager and your device collection(s), configure your antima
## Next step
-**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
+**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-onboard.md)
+- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index caf55924e5..bdb20dff52 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -14,7 +14,9 @@ author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
index 3ad5cff1e5..86dbfb50a0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Event timeline - threat and vulnerability management
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 9e981319a8..77b4642f92 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
@@ -57,6 +59,8 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight.
+You can also use the [set device value API](set-device-value.md).
+
Device value options:
- Low
@@ -82,6 +86,7 @@ Examples of devices that should be marked as high value:
3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device.
+
## Related topics
- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 00d85e1d60..eca2eff41e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Threat and vulnerability management dashboard insights
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index 28da6b8c57..1773f17654 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Exposure score - threat and vulnerability management
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
index ad687089f9..59c5598a86 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Microsoft Secure Score for Devices
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 3a45c885e5..96e22571c0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Remediation activities and exceptions - threat and vulnerability management
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index a64042be50..723a90bded 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Security recommendations - threat and vulnerability management
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 215f2fc19c..13d0634456 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Software inventory - threat and vulnerability management
@@ -26,7 +28,7 @@ ms.topic: conceptual
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-The software inventory in threat and vulnerability management is a list of all the software in your organization. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
+The software inventory in threat and vulnerability management is a list of all the software in your organization with known vulnerabilities. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
## How it works
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 9c71a766be..4de1a79a1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: article
---
# Supported operating systems and platforms - threat and vulnerability management
@@ -42,7 +44,7 @@ Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software prod
Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-macOS | Not supported (planned)
+macOS 10.13 "High Sierra" and above | Operating System (OS) vulnerabilities
Software product vulnerabilities
Linux | Not supported (planned)
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 4f2cc260b4..523a9d850b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -13,7 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Weaknesses found by threat and vulnerability management
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index 21348865a8..4dd4166246 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -21,22 +21,23 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> **Web content filtering is currently in public preview**
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Microsoft Defender ATP preview features](preview.md).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs that are associated with the category. For any category that's not blocked, they are automatically audited. That means your users will be able to access the URLs without disruption, and you will continue to gather access statistics to help create a more custom policy decision. If an element on the page you’re viewing is making calls to a resource that is blocked, your users will see a block notification.
+Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.
Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section.
Summarizing the benefits:
- Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away
-- Conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
+- Conveniently deploy policies to groups of users using device groups defined in [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
- Access web reports in the same central location, with visibility over actual blocks and web usage
## User experience
@@ -47,17 +48,17 @@ For a more user-friendly in-browser experience, consider using Microsoft Edge.
## Prerequisites
-Before trying out this feature, make sure you have the following:
+Before trying out this feature, make sure you have the following requirements:
- Windows 10 Enterprise E5 license OR Microsoft 365 E3 + Microsoft 365 E5 Security add-on.
- Access to Microsoft Defender Security Center portal
- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
-If Windows Defender SmartScreen is not turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
+If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
## Data handling
-For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
+We will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
## Turn on web content filtering
@@ -84,33 +85,30 @@ Tip: You can deploy a policy without selecting any category on a device group. T
>[!NOTE]
>If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
+>[!IMPORTANT]
+>Blocking the "Uncategorized" category may lead to unexpected and undesired results.
+
### Allow specific websites
-It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question.
+It's possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it's applied to the device group in question.
1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**
2. Enter the domain of the site
3. Set the policy action to **Allow**.
-## Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- cards and details
+## Web content filtering cards and details
Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
### Web activity by category
-This card lists the parent web content categories with the largest percentage change in the number of access attempts, whether they have increased or decreased. You can use this card to understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information about that particular category.
+This card lists the parent web content categories with the largest increase or decrease in the number of access attempts. Understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information.
-In the first 30 days of using this feature, your organization might not have sufficient data to display in this card.
+In the first 30 days of using this feature, your organization might not have enough data to display this information.
-### Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- summary card
+### Web content filtering summary card
This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
@@ -140,9 +138,9 @@ Use the time range filter at the top left of the page to select a time period. Y
### Limitations and known issues in this preview
-- Only Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). This is because Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
+- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
-- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices in the interim before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
+- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index e86131af5d..38c6bd4b37 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -13,7 +13,9 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
ms.topic: conceptual
---
@@ -39,7 +41,8 @@ For more information preview features, see [Preview features](https://docs.micro
> ```
## September 2020
-- [Microsoft Defender ATP for Android](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender ATP for Android.
+- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender ATP for Android.
+- [Threat and vulnerability management macOS support](tvm-supported-os.md)
Threat and vulnerability management for macOS is now in public preview, and will continuously detect vulnerabilities on your macOS devices to help you prioritize remediation by focusing on risk. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824).
## July 2020
- [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 3956891c0c..263e076dda 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
author: dansimp
ms.localizationpriority: medium
-ms.date: 1/26/2018
+ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -78,7 +78,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
## MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
-For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
+For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
| Setting |
@@ -220,5 +220,3 @@ To better help you protect your organization, we recommend turning on and using
- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies)
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index 3db828212a..ab09ef2ca5 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -77,8 +77,11 @@ None. Changes to this policy setting become effective without a computer restart
### Implementation considerations
Implementation of this policy setting is dependent on your operational environment. You should consider threat vectors, deployed operating systems, and deployed apps, for example:
+
- The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. You should set the account lockout threshold in consideration of the known and perceived risk of those threats.
+
- When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases.
+
- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign-in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/).
@@ -87,22 +90,31 @@ For more information about Windows security baseline recommendations for account
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+> [!NOTE]
+> A lockout threshold policy will apply to both local member computer users and domain users, in order to allow mitigation of issues as described under "Vulnerability". The built-in Administrator account, however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot sign in to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password. See also [Appendix D: Securing Built-In Administrator Accounts in Active Directory](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory).
+
### Vulnerability
Brute force password attacks can use automated methods to try millions of password combinations for any user account. The effectiveness of such attacks can be almost eliminated if you limit the number of failed sign-in attempts that can be performed.
However, a DoS attack could be performed on a domain that has an account lockout threshold configured. An attacker could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the account lockout threshold, the attacker might be able to lock every account without needing any special privileges or being authenticated in the network.
-> **Note:** Offline password attacks are not countered by this policy setting.
+> [!NOTE]
+> Offline password attacks are not countered by this policy setting.
+
### Countermeasure
Because vulnerabilities can exist when this value is configured and when it is not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
+
- Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met:
+
- The password policy setting requires all users to have complex passwords of 8 or more characters.
- A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occur in the environment.
+
- Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but does not prevent a DoS attack.
+
Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it is needed to help mitigate massive lockouts caused by an attack on your systems.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index 35eaa8ac76..74ed307f82 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -76,7 +76,7 @@ Types of password attacks include dictionary attacks (which attempt to use commo
### Countermeasure
-Configure the **** policy setting to a value of 8 or more. If the number of characters is set to 0, no password will be required.
+Configure the **Minimum password length** policy setting to a value of 8 or more. If the number of characters is set to 0, no password will be required.
In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack.
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index da3aea58e5..58051a41aa 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -24,8 +24,7 @@ Learn about an approach to collect events from devices in your organization. Thi
Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
-To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The
-Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
+To accomplish this, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis.
diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
deleted file mode 100644
index 387aca9327..0000000000
--- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ /dev/null
@@ -1,254 +0,0 @@
----
-title: WannaCrypt ransomware worm targets out-of-date systems
-description: This is an early analysis of the WannaCrypt ransomware attack. Microsoft antimalware diagnostic data immediately picked up signs of this campaign in May 2017.
-keywords: wannacry, wannacrypt, wanna, ransomware
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: dulcemontemayor
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
----
-
-# WannaCrypt ransomware worm targets out-of-date systems
-
-
-On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) if they have not already done so.
-
-Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
-
-In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
-
-## Attack vector
-
-Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB 'EternalBlue' vulnerability, [CVE-2017-0145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx), which was released on March 14, 2017.
-
-WannaCrypt's spreading mechanism is borrowed from [well-known](https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html) [public SMB exploits](https://github.com/RiskSense-Ops/MS17-010), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.
-
-The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.
-
-We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:
-
-- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
-- Infection through SMB exploit when an unpatched computer is addressable from other infected machines
-
-## Dropper
-
-The threat arrives as a dropper Trojan that has the following two components:
-
-1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers
-2. The ransomware known as WannaCrypt
-
-The dropper tries to connect the following domains using the API `InternetOpenUrlA()`:
-
-- www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
-- www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
-
-If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.
-
-In other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.
-
-
-
-The threat creates a service named *mssecsvc2.0*, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:
-```
-Service Name: mssecsvc2.0
-Service Description: (Microsoft Security Center (2.0) Service)
-Service Parameters: '-m security'
-```
-
- 
-
-## WannaCrypt ransomware
-
-The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is 'WNcry@2ol7'.
-
-When run, WannaCrypt creates the following registry keys:
-
-- *HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\\ = '\\tasksche.exe'*
-- *HKLM\SOFTWARE\WanaCrypt0r\\wd = '\'*
-
-It changes the wallpaper to a ransom message by modifying the following registry key:
-
-- *HKCU\Control Panel\Desktop\Wallpaper: '\\\@WanaDecryptor@.bmp'*
-
-It creates the following files in the malware's working directory:
-
-- *00000000.eky*
-- *00000000.pky*
-- *00000000.res*
-- *274901494632976.bat*
-- @Please_Read_Me@.txt
-- @WanaDecryptor@.bmp
-- @WanaDecryptor@.exe
-- *b.wnry*
-- *c.wnry*
-- *f.wnry*
-- *m.vbs*
-- *msg\m_bulgarian.wnry*
-- *msg\m_chinese (simplified).wnry*
-- *msg\m_chinese (traditional).wnry*
-- *msg\m_croatian.wnry*
-- *msg\m_czech.wnry*
-- *msg\m_danish.wnry*
-- *msg\m_dutch.wnry*
-- *msg\m_english.wnry*
-- *msg\m_filipino.wnry*
-- *msg\m_finnish.wnry*
-- *msg\m_french.wnry*
-- *msg\m_german.wnry*
-- *msg\m_greek.wnry*
-- *msg\m_indonesian.wnry*
-- *msg\m_italian.wnry*
-- *msg\m_japanese.wnry*
-- *msg\m_korean.wnry*
-- *msg\m_latvian.wnry*
-- *msg\m_norwegian.wnry*
-- *msg\m_polish.wnry*
-- *msg\m_portuguese.wnry*
-- *msg\m_romanian.wnry*
-- *msg\m_russian.wnry*
-- *msg\m_slovak.wnry*
-- *msg\m_spanish.wnry*
-- *msg\m_swedish.wnry*
-- *msg\m_turkish.wnry*
-- *msg\m_vietnamese.wnry*
-- *r.wnry*
-- *s.wnry*
-- *t.wnry*
-- *TaskData\Tor\libeay32.dll*
-- *TaskData\Tor\libevent-2-0-5.dll*
-- *TaskData\Tor\libevent_core-2-0-5.dll*
-- *TaskData\Tor\libevent_extra-2-0-5.dll*
-- *TaskData\Tor\libgcc_s_sjlj-1.dll*
-- *TaskData\Tor\libssp-0.dll*
-- *TaskData\Tor\ssleay32.dll*
-- *TaskData\Tor\taskhsvc.exe*
-- *TaskData\Tor\tor.exe*
-- *TaskData\Tor\zlib1.dll*
-- *taskdl.exe*
-- *taskse.exe*
-- *u.wnry*
-
-WannaCrypt may also create the following files:
-
-- *%SystemRoot%\tasksche.exe*
-- *%SystemDrive%\intel\\\\tasksche.exe*
-- *%ProgramData%\\\\tasksche.exe*
-
-It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '\tasksche.exe'`.
-
-It then searches the whole computer for any file with any of the following file name extensions: *.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der' , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.*
-
-WannaCrypt encrypts all files it finds and renames them by appending *.WNCRY* to the file name. For example, if a file is named *picture.jpg*, the ransomware encrypts and renames the file to *picture.jpg.WNCRY*.
-
-This ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).
-
-After completing the encryption process, the malware deletes the volume shadow copies by running the following command:
-`cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet`
-
-It then replaces the desktop background image with the following message:
-
-
-
-It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:
-
- 
-
-The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.
-
-The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.
-
- 
-
-## Spreading capability
-
-The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.
-
-
-
-The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.
-
-When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.
-
- 
-
- 
-
-## Protection against the WannaCrypt attack
-
-To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
-
-We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:
-
-- Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/)
-- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
-
-[Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Microsoft Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
-
-For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
-
-Use [Office 365 Advanced Threat Protection](https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
-
-Monitor networks with [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/download/details.aspx?id=55090).
-
-## Resources
-
-Download English language security updates: [Windows Server 2003 SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows Server 2003 SP2 x86,](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe) [Windows XP SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows XP SP3 x86](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe), [Windows XP Embedded SP3 x86](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe), [Windows 8 x86,](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu) [Windows 8 x64](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu)
-
-Download localized language security updates: [Windows Server 2003 SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0)
-
-MS17-010 Security Update: [https://technet.microsoft.com/library/security/ms17-010.aspx](https://technet.microsoft.com/library/security/ms17-010.aspx)
-
-Customer guidance for WannaCrypt attacks: [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
-
-General information on ransomware: [https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx](https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx)
-
-## Indicators of compromise
-
-SHA1 of samples analyzed:
-
-- 51e4307093f8ca8854359c0ac882ddca427a813c
-- e889544aff85ffaf8b0d0da705105dee7c97fe26
-
-Files created:
-
-- %SystemRoot%\mssecsvc.exe
-- %SystemRoot%\tasksche.exe
-- %SystemRoot%\qeriuwjhrf
-- b.wnry
-- c.wnry
-- f.wnry
-- r.wnry
-- s.wnry
-- t.wnry
-- u.wnry
-- taskdl.exe
-- taskse.exe
-- 00000000.eky
-- 00000000.res
-- 00000000.pky
-- @WanaDecryptor@.exe
-- @Please_Read_Me@.txt
-- m.vbs
-- @WanaDecryptor@.exe.lnk
-- @WanaDecryptor@.bmp
-- 274901494632976.bat
-- taskdl.exe
-- Taskse.exe
-- Files with '.wnry' extension
-- Files with '.WNCRY' extension
-
-Registry keys created:
-
-- HKLM\SOFTWARE\WanaCrypt0r\wd
-
-
-
-*Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya*
*Microsoft Malware Protection Center*
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index a7254e397b..7ec755da77 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -25,7 +25,7 @@ ms.date: 10/30/2019
Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices.
-With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”.
+With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization".
Refer to the below video for an overview and brief demo.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
@@ -57,7 +57,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
```powershell
Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete
```
- This deletes the ‘audit mode’ qualifier.
+ This deletes the 'audit mode' qualifier.
- Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy:
```powershell
@@ -88,9 +88,9 @@ Refer to [Intune Standalone - Win32 app management](https://docs.microsoft.com/i
## Optional: Process for Deploying Apps using Catalogs
-Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don’t want to allow as well.
+Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well.
-Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don’t want to trust all apps that may share the same signing certificate.
+Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. Use the Add-SignerRule PowerShell cmdlet as shown above to authorize the catalog signing certificate in the supplemental policy. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs.
@@ -184,8 +184,6 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
In order to revert users to an unmodified S mode policy, an IT Pro can remove a user or users from the targeted Intune group which received the policy, which will trigger a removal of both the policy and the authorization token from the device.
IT Pros also have the choice of deleting a supplemental policy through Intune.
-> [!Note]
-> This feature currently has a known bug which occurs when an S mode supplemental policy is deleted through Intune, in which the policy is not immediately removed from the devices to which it was deployed. A fix is expected in the 2D update in late February 2020. In the meantime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
```xml
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 7fac37b115..9fe4c819a1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -1,7 +1,7 @@
---
title: WDAC and AppLocker Overview
description: Compare Windows application control technologies.
-keywords: security, malware
+keywords: security, malware, allow-list, block-list
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
@@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: isbrahm
ms.author: deniseb
manager: dansimp
-ms.date: 04/15/2020
+ms.date: 09/30/2020
ms.custom: asr
---
@@ -29,58 +29,51 @@ Windows 10 includes two technologies that can be used for application control de
## Windows Defender Application Control
-WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
-
-> [!NOTE]
-> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies.
+WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
-- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
-- The reputation of the app as determined by Microsoft's Intelligent Security Graph;
-- The identity of the process that initiated the installation of the app and its binaries (managed installer);
-- The path from which the app or file is launched (beginning with Windows 10 version 1903);
-- The process that launched the app or binary.
+- Attributes of the codesigning certificate(s) used to sign an app and its binaries
+- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
+- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md)
+- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md))
+- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
+- The process that launched the app or binary
+
+Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'.
### WDAC System Requirements
-WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
-WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
+WDAC policies can be created on any client edition of Windows 10 build 1903+ or on Windows Server 2016 and above.
+
+WDAC policies can be applied to devices running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
+
+For more information on which individual WDAC features are available on which WDAC builds, see [WDAC feature availability](feature-availability.md).
## AppLocker
-AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers.
+AppLocker was introduced with Windows 7 and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature.
AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
-- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
-- The path from which the app or file is launched (beginning with Windows 10 version 1903).
+- Attributes of the codesigning certificate(s) used to sign an app and its binaries
+- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
+- The path from which the app or file is launched
### AppLocker System Requirements
-AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
+AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
AppLocker policies can be deployed using Group Policy or MDM.
## Choose when to use WDAC or AppLocker
-Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies.
+Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements.
-### WDAC is best when:
-
-- You are adopting application control primarily for security reasons.
-- Your application control policy can be applied to all users on the managed computers.
-- All of the devices you wish to manage are running Windows 10.
-
-### AppLocker is best when:
+In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
-- You need to apply different policies for different users or groups on a shared computer.
-- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
-- You do not wish to enforce application control on application files such as DLLs or drivers.
+- You need to apply different policies for different users or groups on shared computers.
+- You do not want to enforce application control on application files such as DLLs or drivers.
-## When to use both WDAC and AppLocker together
-
-AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
-As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where it is important to prevent some users from running specific apps.
+As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.
diff --git a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
deleted file mode 100644
index 0533ec00f5..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-ms.author: dansimp
-author: dansimp
-title: The Microsoft Defender Security Center app
----
-
-# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
-
-## [Customize the Microsoft Defender Security Center app for your organization](wdsc-customize-contact-information.md)
-## [Hide Microsoft Defender Security Center app notifications](wdsc-hide-notifications.md)
-## [Manage Microsoft Defender Security Center in Windows 10 in S mode](wdsc-windows-10-in-s-mode.md)
-## [Virus and threat protection](wdsc-virus-threat-protection.md)
-## [Account protection](wdsc-account-protection.md)
-## [Firewall and network protection](wdsc-firewall-network-protection.md)
-## [App and browser control](wdsc-app-browser-control.md)
-## [Device security](wdsc-device-security.md)
-## [Device performance and health](wdsc-device-performance-health.md)
-## [Family options](wdsc-family-options.md)
-
-
diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md
index e5edff503e..34b7c1beb1 100644
--- a/windows/security/threat-protection/windows-firewall/TOC.md
+++ b/windows/security/threat-protection/windows-firewall/TOC.md
@@ -96,6 +96,7 @@
## [Best practices]()
+### [Configuring the firewall](best-practices-configuring.md)
### [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
### [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
### [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
new file mode 100644
index 0000000000..274baf82d2
--- /dev/null
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -0,0 +1,212 @@
+---
+title: Best practices for configuring Windows Defender Firewall
+description: Learn about best practices for configuring Windows Defender Firewall
+
+keywords: firewall, best practices, security, network security, network, rules, filters,
+
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+
+---
+
+# Best practices for configuring Windows Defender Firewall
+
+**Applies to**
+
+- Windows operating systems including Windows 10
+
+- Windows Server Operating Systems
+
+Windows Defender Firewall with Advanced Security provides host-based, two-way
+network traffic filtering and blocks unauthorized network traffic flowing into
+or out of the local device. Configuring your Windows Firewall based on the
+following best practices can help you optimize protection for devices in your
+network. These recommendations cover a wide range of deployments including home
+networks and enterprise desktop/server systems.
+
+To open Windows Firewall, go to the **Start** menu, select **Run**,
+type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security).
+
+## Keep default settings
+
+When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
+
+
+
+*Figure 1: Windows Defender Firewall*
+
+1. **Domain profile**: Used for networks where there is a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC
+
+2. **Private profile**: Designed for and best used
+ in private networks such as a home network
+
+3. **Public profile**: Designed with higher security in mind
+ for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, or stores
+
+View detailed settings for each profile by right-clicking the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then selecting **Properties**.
+
+Maintain the default settings in Windows Defender
+Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
+
+
+
+*Figure 2: Default inbound/outbound settings*
+
+> [!IMPORTANT]
+> To maintain maximum security, do not change the default Block setting for inbound connections.
+
+For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior) and [Checklist: Configuring Basic Firewall Settings](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings).
+
+## Understand rule precedence for inbound rules
+
+In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.
+
+This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
+
+
+
+*Figure 3: Rule Creation Wizard*
+
+> [!NOTE]
+>This article does not cover step-by-step rule
+configuration. See the [Windows Firewall with Advanced Security Deployment
+Guide](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide)
+for general guidance on policy creation.
+
+In many cases, allowing specific types of inbound traffic will be required for
+applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when
+allowing these inbound exceptions.
+
+1. Explicitly defined allow rules will take precedence over the default block setting.
+
+2. Explicit block rules will take precedence over any conflicting allow rules.
+
+3. More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)
+
+Because of 1 and 2, it is important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
+
+A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
+
+> [!NOTE]
+> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above.
+
+## Create rules for new applications before first launch
+
+### Inbound allow rules
+
+When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there is a default block action in Windows Defender Firewall, it is necessary to create inbound exception rules to allow this traffic. It is common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule.
+
+If there are no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network.
+
+- If the user has admin permissions, they will be prompted. If they respond *No* or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic.
+
+- If the user is not a local admin, they will not be prompted. In most cases, block rules will be created.
+
+In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked.
+
+> [!NOTE]
+> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
+
+
+### Known issues with automatic rule creation
+
+When designing a set of firewall policies for your network, it is a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience.
+
+The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime requires user interaction.
+
+To determine why some applications are blocked from communicating in the network, check for the following:
+
+1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt.
+
+2. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes.
+
+3. Local Policy Merge is disabled, preventing the application or network service from creating local rules.
+
+
+
+*Figure 4: Dialog box to allow access*
+
+See also [Checklist: Creating Inbound Firewall Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules).
+
+## Establish local policy merge and application rules
+
+Firewall rules can be deployed:
+1. Locally using the Firewall snap-in (**WF.msc**)
+2. Locally using PowerShell
+3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager (SCCM), or Intune (using workplace join)
+
+Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles.
+
+The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy.
+
+
+
+*Figure 5: Rule merging setting*
+
+> [!TIP]
+> In the firewall [configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp), the
+equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*.
+
+If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
+
+Admins may disable *LocalPolicyMerge* in high security environments to maintain tighter control over endpoints. This can impact some apps and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device
+Management (MDM), or both (for hybrid or co-management environments).
+
+[Firewall CSP](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp) and [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging.
+
+As a best practice, it is important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
+
+In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes.
+
+
+
+> [!NOTE]
+> The use of wildcard patterns, such as *C:\*\\teams.exe* is not
+supported in application rules. We currently only support rules created using the full path to the application(s).
+
+## Know how to use "shields up" mode for active attacks
+
+An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It is an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
+
+Shields up can be achieved by checking **Block all
+incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*.
+
+
+
+*Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type*
+
+
+
+*Figure 7: Legacy firewall.cpl*
+
+By default, the Windows Defender Firewall will block everything unless there is an exception rule created. This setting overrides the exceptions.
+
+For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access will not work as long as shields up is activated.
+
+Once the emergency is over, uncheck the setting to restore regular network traffic.
+
+## Create outbound rules
+
+What follows are a few general guidelines for configuring outbound rules.
+
+- The default configuration of Blocked for Outbound rules can be
+ considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default.
+
+- It is recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use.
+
+- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments).
+
+For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules).
+
+## Document your changes
+
+When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
diff --git a/windows/security/threat-protection/windows-firewall/images/fw01-profiles.png b/windows/security/threat-protection/windows-firewall/images/fw01-profiles.png
new file mode 100644
index 0000000000..c1aa416fdf
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw01-profiles.png differ
diff --git a/windows/security/threat-protection/windows-firewall/images/fw02-createrule.png b/windows/security/threat-protection/windows-firewall/images/fw02-createrule.png
new file mode 100644
index 0000000000..5c8f858f52
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw02-createrule.png differ
diff --git a/windows/security/threat-protection/windows-firewall/images/fw03-defaults.png b/windows/security/threat-protection/windows-firewall/images/fw03-defaults.png
new file mode 100644
index 0000000000..cfc1daea37
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw03-defaults.png differ
diff --git a/windows/security/threat-protection/windows-firewall/images/fw04-userquery.png b/windows/security/threat-protection/windows-firewall/images/fw04-userquery.png
new file mode 100644
index 0000000000..85f7485479
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw04-userquery.png differ
diff --git a/windows/security/threat-protection/windows-firewall/images/fw05-rulemerge.png b/windows/security/threat-protection/windows-firewall/images/fw05-rulemerge.png
new file mode 100644
index 0000000000..74c49fab7b
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw05-rulemerge.png differ
diff --git a/windows/security/threat-protection/windows-firewall/images/fw06-block.png b/windows/security/threat-protection/windows-firewall/images/fw06-block.png
new file mode 100644
index 0000000000..2909fa51d3
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw06-block.png differ
diff --git a/windows/security/threat-protection/windows-firewall/images/fw07-legacy.png b/windows/security/threat-protection/windows-firewall/images/fw07-legacy.png
new file mode 100644
index 0000000000..a8d15e6e31
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw07-legacy.png differ
diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
index 6071427eda..00bdfd5630 100644
--- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -10,7 +10,9 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-ms.collection: M365-security-compliance
+ms.collection:
+- m365-security-compliance
+- m365-initiative-windows-security
ms.topic: troubleshooting
---
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index d6b2ed3cde..98fe19379f 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -86,7 +86,7 @@ The following table identifies and defines terms used throughout this guide.
| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).|
| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.|
| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.|
-| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
+| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index 6f809cdf89..7f2d33540e 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -27,7 +27,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec
## Learn more
-- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)
+- [Windows 10 release information](https://docs.microsoft.com/windows/release-information/)
- [Windows 10 release health dashboard](https://docs.microsoft.com/windows/release-information/status-windows-10-2004)
- [Windows 10 update history](https://support.microsoft.com/help/4555932/windows-10-update-history)
- [What’s new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new)
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 27fc2277eb..314e4d3826 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -130,7 +130,6 @@ General battery life and power efficiency improvements for PCs with certain proc
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
-[What's new in Windows 10, version 1909 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-1909): This list also includes consumer focused new features.
[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
- 
- 
- 
- 
- 
- 
