deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into autopilot

Browse Source
This commit is contained in:
Greg Lindsay 2019-02-20 11:32:39 -08:00
commit 58abb82a48
85 changed files with 3150 additions and 1187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.openpublishing.redirection.json
View File

@ -1,13 +1,13 @@
{
"redirections": [
{
"source_path": "windows/deployment/update/waas-servicing-differences.md",
"redirect_url": "https://docs.microsoft.com/windows/deployment/update/windows-as-a-service",
"source_path": "windows/application-management/msix-app-packaging-tool-walkthrough.md",
"redirect_url": "https://docs.microsoft.com/windows/msix/mpt-overview",
"redirect_document_id": true
},
{
"source_path": "windows/application-management/msix-app-packaging-tool-walkthrough.md",
"redirect_url": "https://docs.microsoft.com/windows/msix/mpt-overview",
"source_path": "windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-containers-help-protect-windows",
"redirect_document_id": true
},
{

4
devices/surface/ethernet-adapters-and-surface-device-deployment.md
View File

@ -32,9 +32,9 @@ Booting from the network (PXE boot) is only supported when you use an Ethernet a
The following Ethernet devices are supported for network boot with Surface devices:
- Surface USB to Ethernet adapter
- Surface USB-C to Ethernet and USB 3.0 Adapter
- Surface USB 3.0 Ethernet adapter
- Surface USB 3.0 to Gigabit Ethernet Adapter
- Surface Dock

1
devices/surface/index.md
View File

@ -31,6 +31,7 @@ For more information on planning for, deploying, and managing Surface devices in
| [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
| [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
| [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
| [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | Learn how to investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. |
| [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
| [Top support solutions for Surface devices](support-solutions-surface.md) | These are the top Microsoft Support solutions for common issues experienced using Surface devices in an enterprise. |
| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |

2
windows/client-management/mdm/policy-csp-browser.md
View File

@ -2785,7 +2785,7 @@ ADMX Info:
Supported values:
- Blank (default) - Load the pages specified in App settings as the default Start pages.
- String - Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:<p><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\<support.contoso.com\>&nbsp;\<support.microsoft.com\>
- String - Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets and comma:<p><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\<support.contoso.com\>&comma;\<support.microsoft.com\>
<!--/SupportedValues-->
<!--/Policy-->

8
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -288,7 +288,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
Determines the type of PIN required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
@ -306,9 +306,9 @@ Determines the type of PIN or password required. This policy only applies if the
<!--SupportedValues-->
The following list shows the supported values:
- 0 Alphanumeric PIN or password required.
- 1 Numeric PIN or password required.
- 2 (default) Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
- 0 Password or Alphanumeric PIN required.
- 1 Password or Numeric PIN required.
- 2 (default) Password, Numeric PIN, or Alphanumeric PIN required.
<!--/SupportedValues-->
<!--/Policy-->

7
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -17,6 +17,13 @@ ms.date: 11/07/2018
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## February 2019
New or changed topic | Description
--- | ---
[Set up a single-app kiosk](kiosk-single-app.md) | Replaced instructions for Microsoft Intune with a link to the Intune documentation.
[Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) | Replaced instructions for Intune with a link to the Intune documentation.
## January 2019
New or changed topic | Description

4
windows/configuration/kiosk-shelllauncher.md
View File

@ -36,7 +36,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
### Requirements
## Requirements
>[!WARNING]
>- Windows 10 doesnt support setting a custom shell prior to OOBE. If you do, you wont be able to deploy the resulting image.
@ -50,7 +50,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
### Configure Shell Launcher
## Configure Shell Launcher
To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.

20
windows/configuration/kiosk-single-app.md
View File

@ -238,30 +238,14 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
>
>Account type: Local standard user, Azure AD
![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png)
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
>[!TIP]
>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp).
The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
**To configure kiosk in Microsoft Intune**
2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
3. Select **Device configuration**.
4. Select **Profiles**.
5. Select **Create profile**.
6. Enter a friendly name for the profile.
7. Select **Windows 10 and later** for the platform.
8. Select **Device restrictions** for the profile type.
9. Select **Kiosk**.
10. In **Kiosk Mode**, select **Single app kiosk**.
1. Enter the user account (Azure AD or a local standard user account).
11. Enter the Application User Model ID for an installed app.
14. Select **OK**, and then select **Create**.
18. Assign the profile to a device group to configure the devices in that group as kiosks.
To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For other MDM services, see the documentation for your provider.

27
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -46,30 +46,7 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
## Configure a kiosk in Microsoft Intune
1. [Generate the Start layout for the kiosk device.](#startlayout)
2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
3. Select **Device configuration**.
4. Select **Profiles**.
5. Select **Create profile**.
6. Enter a friendly name for the profile.
7. Select **Windows 10 and later** for the platform.
8. Select **Kiosk (Preview)** for the profile type.
9. Select **Kiosk - 1 setting available**.
10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu.
12. Enter a friendly name for the configuration.
10. In **Kiosk Mode**, select **Multi app kiosk**.
13. Select an app type.
- For **Add Win32 app**, enter a friendly name for the app in **App Name**, and enter the path to the app executable in **Identifier**.
- For **Add managed apps**, select an app that you manage through Intune.
- For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app.
14. Select whether to enable the taskbar.
15. Browse to and select the Start layout XML file that you generated in step 1.
16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available.
17. Select **OK**. You can add additional configurations or finish.
18. Assign the profile to a device group to configure the devices in that group as kiosks.
>[!NOTE]
>Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription.
To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](https://docs.microsoft.com/intune/kiosk-settings-windows).
## Configure a kiosk using a provisioning package
@ -178,7 +155,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
- To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:

BIN
windows/deployment/update/images/security-only-update.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 217 KiB

3
windows/deployment/update/waas-configure-wufb.md
View File

@ -7,7 +7,6 @@ ms.sitesec: library
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 11/16/2018
---
# Configure Windows Update for Business
@ -17,6 +16,8 @@ ms.date: 11/16/2018
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
- Windows Server 2019
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)

2
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -16,6 +16,8 @@ ms.author: jaimeo
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
- Windows Server 2019
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)

115
windows/deployment/update/waas-servicing-differences.md Normal file
View File

@ -0,0 +1,115 @@
---
title: Servicing differences between Windows 10 and older operating systems
description: Learn the differences between servicing Windows 10 and servicing older operating systems.
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: KarenSimWindows
ms.localizationpriority: medium
ms.author: karensim
---
# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems
>Applies to: Windows 10
>**February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.**
Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates.
The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).
>[!NOTE]
>A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc.
## Infinite fragmentation
Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates.
As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft.
This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If youve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
## Windows 10 Next generation
Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation.
This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU.
Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
![High level cumulative update model](images/servicing-cadence.png)
*Figure 1.0 - High level cumulative update model*
Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10.
### Points to consider
- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new.
- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.)
- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
- For Windows 10, available update types vary by publishing channel:
- For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
- Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this example for Windows 10, version 1709) For more information on Servicing Stack Updates, please see this blog.
- For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
## Windows 7 and legacy OS versions
While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016.
Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems.
The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current months Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
![Legacy OS security-only update model](images/security-only-update.png)
*Figure 2.0 - Legacy OS security-only update model*
Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsofts test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
### Points to consider
- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages.
- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.)
- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security required" updates, because both have the full set of security updates in them. The Monthly Rollup may have additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed.
- Given the differences between the cumulative Monthly Rollups and the single-month Security-only update packages, switching between these update types is not advised. Differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type with high consistency Monthly Rollup or Security-only is recommended.
- With all Legacy OS versions now in the Extended Support stage of their 10-year lifecycle, they typically receive only security updates for both Monthly Rollup and Security Only updates. Using Express for the Monthly Rollup results in almost the same package size as Security Only, with the added confidence of ensuring all relevant updates are installed.
- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback.
- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup.
- [Updates for .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated.
- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version.
## Public preview releases
Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that months B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next months B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
### Examples
Windows 10 version 1709:
- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot.
- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required.
- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models.
![Preview releases in the Windows 10 LCU model](images/servicing-previews.png)
*Figure 3.0 - Preview releases within the Windows 10 LCU model*
## Previews vs. on-demand releases
In 2018, we experienced incidents which required urgent remediation that didnt map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next months Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
### Point to consider
- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
- Rarely do incidents with Update Tuesday releases impact more than .1% of the total population. With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however.
- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices.
- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way.
In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure.
## Resources
- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530)
- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772)
- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783)
- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/)
- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798)
- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/)
- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376)
- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434)

2
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -195,7 +195,7 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that
> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries.
### Device names not appearing for Windows 10 devices
Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates.
### Disable Upgrade Readiness

2
windows/deployment/update/windows-analytics-get-started.md
View File

@ -163,7 +163,7 @@ These policies are under Microsoft\Windows\DataCollection:
| CommercialId | In order for your devices to show up in Windows Analytics, they must be configured with your organizations Commercial ID. |
| AllowTelemetry (in Windows 10) | 1 (Basic), 2 (Enhanced) or 3 (Full) diagnostic data. Windows Analytics will work with basic diagnostic data, but more features are available when you use the Enhanced level (for example, Device Health requires Enhanced diagnostic data and Upgrade Readiness only collects app usage and site discovery data on Windows 10 devices with Enhanced diagnostic data). For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
| LimitEnhancedDiagnosticDataWindowsAnalytics (in Windows 10) | Only applies when AllowTelemetry=2. Limits the Enhanced diagnostic data events sent to Microsoft to just those needed by Windows Analytics. For more information, see [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields).|
| AllowDeviceNameInTelemetry (in Windows 10) | In Windows 10, version 1803, a separate opt-in is required to enable devices to continue to send the device name. |
| AllowDeviceNameInTelemetry (in Windows 10) | In Windows 10, version 1803, a separate opt-in is required to enable devices to continue to send the device name. Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. |
| CommercialDataOptIn (in Windows 7 and Windows 8) | 1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |

1
windows/deployment/update/windows-as-a-service.md
View File

@ -24,6 +24,7 @@ Everyone wins when transparency is a top priority. We want you to know when upda
The latest news:
<ul compact style="list-style: none">
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523">Windows Update for Business and the retirement of SAC-T</a> - February 14, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/#A8urpp1QEp6DHzmP.97">Application compatibility in the Windows ecosystem</a> - January 15, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-overview/#UJJpisSpvyLokbHm.97">Windows monthly security and quality updates overview</a> - January 10, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/12/19/driver-quality-in-the-windows-ecosystem/#ktuodfovWAMAkssM.97">Driver quality in the Windows ecosystem</a> - December 19, 2018</li>

6
windows/deployment/update/windows-update-troubleshooting.md
View File

@ -103,10 +103,10 @@ If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_M
You may choose to apply a rule to permit HTTP RANGE requests for the following URLs:
*.download.windowsupdate.com
*.au.windowsupdate.com
*.tlu.dl.delivery.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
If you cannot permit RANGE requests, you can configure a Group Policy or MDM Policy setting that will bypass Delivery Optimization and use BITS instead.
If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work).
## The update is not applicable to your computer

3
windows/deployment/upgrade/troubleshoot-upgrade-errors.md
View File

@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.date: 03/30/2018
ms.localizationpriority: medium
---
@ -22,7 +21,7 @@ ms.localizationpriority: medium
If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process.
Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase.
Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100.
These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered.

4
windows/deployment/upgrade/windows-10-edition-upgrades.md
View File

@ -8,7 +8,6 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.date: 10/25/2018
---
# Windows 10 edition upgrade
@ -24,7 +23,7 @@ For a list of operating systems that qualify for the Windows 10 Pro Upgrade or W
The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuratio Manager.
Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuration Manager.
![not supported](../images/x_blk.png) (X) = not supported</br>
![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required</br>
@ -59,7 +58,6 @@ X = unsupported <BR>
| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
| **Enterprise LTSC > Enterprise** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) |
> [!NOTE]

3
windows/deployment/upgrade/windows-10-upgrade-paths.md
View File

@ -7,7 +7,6 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.pagetype: mobile
author: greg-lindsay
ms.date: 07/06/2018
---
# Windows 10 upgrade paths
@ -24,7 +23,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
>In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later.
>In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup).
>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.

2
windows/deployment/windows-autopilot/registration-auth.md
View File

@ -39,7 +39,7 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus
![Request a reseller relationship](images/csp1.png)
- Select the checkbox indicating whether or not you want delegated admin rights:
![Delegated rights](images/csp2.png)
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in tihs document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
- Send the template above to the customer via email.
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:

2
windows/deployment/windows-autopilot/self-deploying.md
View File

@ -18,7 +18,7 @@ ms.author: greg-lindsay
Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, levering the enrollment status page to prevent access to the desktop until the device is fully provisioned.
Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
>[!NOTE]
>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.

4
windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
View File

@ -41,11 +41,11 @@ In environments that have more restrictive internet access, or for those that re
- NOTE:  If Windows Update is inaccessible, the AutoPilot process will still continue.
- **Delivery Optimization.**  When downloading Windows Updates and Microsoft Store apps and app updates (with additional content types expected in the future), the Delivery Optimization service is contacted to enable peer-to-peer sharing of content, so that all devices dont need to download it from the internet.
- **Delivery Optimization.**  When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
- <https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization>
- NOTE: If Delivery Optimization is inaccessible, the AutoPilot process will still continue.
- NOTE: If Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
- **Network Time Protocol (NTP) Sync.**  When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate.

465
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.author: brianlic
ms.date: 12/27/2018
ms.date: 02/15/2019
---
@ -65,11 +65,12 @@ The following fields are available:
- **InventorySystemBios** The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows
- **PCFP** The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows
- **SystemProcessorCompareExchange** The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows
- **SystemProcessorNx** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
- **SystemProcessorSse2** The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
- **SystemWim** The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows
- **SystemProcessorNx** The total number of objects of this type present on this device.
- **SystemProcessorPrefetchW** The total number of objects of this type present on this device.
- **SystemProcessorSse2** The total number of objects of this type present on this device.
- **SystemWim** The total number of objects of this type present on this device.
- **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows
- **SystemWlan** The count of InventoryApplicationFile objects present on this machine.
- **SystemWlan** The total number of objects of this type present on this device.
- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
@ -475,7 +476,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
The following fields are available:
@ -1270,7 +1271,7 @@ This event sends version data about the Apps running on this device, to help kee
The following fields are available:
- **CensusVersion** The version of Census that generated the current data for this device.
- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
- **IEVersion** The version of Internet Explorer that is running on the device.
### Census.Battery
@ -1757,6 +1758,20 @@ The following fields are available:
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
## Component-based Servicing events
### CbsServicingProvider.CbsCapabilitySessionFinalize
This event provides information about the results of installing or uninstalling optional Windows content from Windows Update.
### CbsServicingProvider.CbsCapabilitySessionPended
This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date.
## Content Delivery Manager events
### Microsoft.Windows.ContentDeliveryManager.ProcessCreativeEvent
@ -1827,6 +1842,7 @@ The following fields are available:
- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save.
- **LastBugCheckOtherSettings** Other crash dump settings.
- **LastBugCheckParameter1** The first parameter with additional info on the type of the error.
- **LastBugCheckProgress** Progress towards writing out the last crash dump.
- **LastSuccessfullyShutdownBootId** The Boot ID of the last fully successful shutdown.
- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released").
- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed").
@ -1890,7 +1906,7 @@ The following fields are available:
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
- **CanReportScenarios** True if we can report scenario completions, false otherwise.
- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
@ -2017,6 +2033,80 @@ The following fields are available:
- **WDDMVersion** The Windows Display Driver Model version.
## Failover Clustering events
### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations.
The following fields are available:
- **autoAssignSite** The cluster parameter: auto site.
- **autoBalancerLevel** The cluster parameter: auto balancer level.
- **autoBalancerMode** The cluster parameter: auto balancer mode.
- **blockCacheSize** The configured size of the block cache.
- **ClusterAdConfiguration** The ad configuration of the cluster.
- **clusterAdType** The cluster parameter: mgmt_point_type.
- **clusterDumpPolicy** The cluster configured dump policy.
- **clusterFunctionalLevel** The current cluster functional level.
- **clusterGuid** The unique identifier for the cluster.
- **clusterWitnessType** The witness type the cluster is configured for.
- **countNodesInSite** The number of nodes in the cluster.
- **crossSiteDelay** The cluster parameter: CrossSiteDelay.
- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold.
- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay.
- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold.
- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters.
- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters.
- **csvResourceCount** The number of resources in the cluster.
- **currentNodeSite** The name configured for the current site for the cluster.
- **dasModeBusType** The direct storage bus type of the storage spaces.
- **downLevelNodeCount** The number of nodes in the cluster that are running down-level.
- **drainOnShutdown** Specifies whether a node should be drained when it is shut down.
- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled.
- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity.
- **genAppNames** The win32 service name of a clustered service.
- **genSvcNames** The command line of a clustered genapp.
- **hangRecoveryAction** The cluster parameter: hang recovery action.
- **hangTimeOut** Specifies the “hang time out” parameter for the cluster.
- **isCalabria** Specifies whether storage spaces direct is enabled.
- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes.
- **isRunningDownLevel** Identifies if the current node is running down-level.
- **logLevel** Specifies the granularity that is logged in the cluster log.
- **logSize** Specifies the size of the cluster log.
- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID.
- **minNeverPreempt** The cluster parameter: minimum never preempt.
- **minPreemptor** The cluster parameter: minimum preemptor priority.
- **netftIpsecEnabled** The parameter: netftIpsecEnabled.
- **NodeCount** The number of nodes in the cluster.
- **nodeId** The current node number in the cluster.
- **nodeResourceCounts** Specifies the number of node resources.
- **nodeResourceOnlineCounts** Specifies the number of node resources that are online.
- **numberOfSites** The number of different sites.
- **numNodesInNoSite** The number of nodes not belonging to a site.
- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes.
- **preferredSite** The preferred site location.
- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster.
- **quarantineDuration** The quarantine duration.
- **quarantineThreshold** The quarantine threshold.
- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period.
- **resiliencyLevel** Specifies the level of resiliency.
- **resourceCounts** Specifies the number of resources.
- **resourceTypeCounts** Specifies the number of resource types in the cluster.
- **resourceTypes** Data representative of each resource type.
- **resourceTypesPath** Data representative of the DLL path for each resource type.
- **sameSubnetDelay** The cluster parameter: same subnet delay.
- **sameSubnetThreshold** The cluster parameter: same subnet threshold.
- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster).
- **securityLevel** The cluster parameter: security level.
- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes.
- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down.
- **upNodeCount** Specifies the number of nodes that are up (online).
- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV.
- **vmIsolationTime** The cluster parameter: VM isolation time.
- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database.
## Fault Reporting events
### Microsoft.Windows.FaultReporting.AppCrashEvent
@ -2227,6 +2317,30 @@ The following fields are available:
- **Version** The version number of the program.
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
This event represents what drivers an application installs.
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
This event provides the basic metadata about the frameworks an application may depend on.
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
@ -2378,33 +2492,34 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
- **Class** The device setup class of the driver loaded for the device
- **ClassGuid** The device class GUID from the driver package
- **COMPID** A JSON array the provides the value and order of the compatible ID tree for the device. See [COMPID](#compid).
- **ContainerId** A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
- **Description** The device description
- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
- **DriverId** A unique identifier for the installed device.
- **Class** The device setup class of the driver loaded for the device.
- **ClassGuid** The device class unique identifier of the driver package loaded on the device.
- **COMPID** The list of “Compatible IDs” for this device. See [COMPID](#compid).
- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to.
- **Description** The description of the device.
- **DeviceState** Identifies the current state of the parent (main) device.
- **DriverId** The unique identifier for the installed driver.
- **DriverName** The name of the driver image file.
- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
- **DriverVerDate** The date of the driver loaded for the device
- **DriverVerVersion** The version of the driver loaded for the device
- **Enumerator** The bus that enumerated the device
- **HWID** A JSON array that provides the value and order of the HWID tree for the device. See [HWID](#hwid).
- **Inf** The INF file name.
- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
- **InventoryVersion** The version of the inventory file generating the events.
- **LowerClassFilters** Lower filter class drivers IDs installed for the device.
- **LowerFilters** Lower filter drivers IDs installed for the device
- **Manufacturer** The device manufacturer
- **MatchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance
- **Model** The device model
- **ParentId** Device instance id of the parent of the device
- **ProblemCode** The current error code for the device.
- **Provider** The device provider
- **Service** The device service name
- **STACKID** A JSON array that provides the value and order of the STACKID tree for the device. See [STACKID](#stackid).
- **UpperClassFilters** Upper filter class drivers IDs installed for the device
- **UpperFilters** Upper filter drivers IDs installed for the device
- **Enumerator** Identifies the bus that enumerated the device.
- **HWID** A list of hardware IDs for the device. See [HWID](#hwid).
- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
- **InventoryVersion** The version number of the inventory process generating the events.
- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
- **LowerFilters** The identifiers of the Lower filters installed for the device.
- **Manufacturer** The manufacturer of the device.
- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance.
- **Model** Identifies the model of the device.
- **ParentId** The Device Instance ID of the parent of the device.
- **ProblemCode** The error code currently returned by the device, if applicable.
- **Provider** Identifies the device provider.
- **Service** The name of the device service.
- **STACKID** The list of hardware IDs for the stack. See [STACKID](#stackid).
- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device.
- **UpperFilters** The identifiers of the Upper filters installed for the device.
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
@ -2429,6 +2544,18 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
This event sends basic metadata about the USB hubs on the device.
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
This event provides the basic metadata about driver binaries running on the system.
@ -2567,6 +2694,18 @@ This event provides insight data on the installed Office products
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
This diagnostic event indicates that a new sync is being generated for this object type.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
Describes Office Products installed.
@ -2591,6 +2730,18 @@ Indicates a new sync is being generated for this object type.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
This event indicates that a new sync is being generated for this object type.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
Provides data on Unified Update Platform (UUP) products and what version they are at.
@ -3215,6 +3366,12 @@ The following fields are available:
- **Time** The system time at which the event began.
### Microsoft.Windows.Sediment.Info.DetailedState
This event is sent when detailed state information is needed from an update trial run.
### Microsoft.Windows.Sediment.Info.DownloadServiceError
This event provides information when the Download Service returns an error. The information provided helps keep Windows up to date.
@ -3394,6 +3551,17 @@ The following fields are available:
- **Url** The new URL from which content will be executed.
### Microsoft.Windows.Sediment.OSRSS.SelfUpdate
This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version.
The following fields are available:
- **ServiceVersionMajor** The major version number for the component.
- **ServiceVersionMinor** The minor version number for the component.
- **Time** The system timestamp for when the event occurred.
### Microsoft.Windows.Sediment.OSRSS.UrlState
This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
@ -3408,6 +3576,17 @@ The following fields are available:
- **Time** System timestamp the event was fired
### Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed
This event returns data relating to the error state after one of the applicability checks for the installer component of the Operating System Remediation System Service (OSRSS) has failed.
The following fields are available:
- **CheckName** The name of the applicability check that failed.
- **InstallerVersion** The version information for the installer component.
- **Time** The system timestamp for when the event occurred.
### Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update to itself. This information helps ensure Windows is up to date.
@ -3855,6 +4034,26 @@ The following fields are available:
- **threadId** The ID of the thread on which the activity is executing.
## SIH events
### SIHEngineTelemetry.EvalApplicability
This event is sent when targeting logic is evaluated to determine if a device is eligible a given action.
### SIHEngineTelemetry.ExecuteAction
This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot.
### SIHEngineTelemetry.PostRebootReport
This event reports the status of an action following a reboot, should one have been required.
## Software update events
### SoftwareUpdateClientTelemetry.CheckForUpdates
@ -3977,36 +4176,36 @@ The following fields are available:
- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
- **AppXDownloadScope** Indicates the scope of the download for application content.
- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
- **BiosReleaseDate** The release date of the device BIOS.
- **BiosSKUNumber** The sku number of the device BIOS.
- **BiosSKUNumber** The SKU number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle.
- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
- **BundleId** Identifier associated with the specific content bundle.
- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle).
- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable.
- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client.
- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download.
- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
- **ClientManagedByWSUSServer** Indicates whether the client is managed by Windows Server Update Services (WSUS).
- **ClientVersion** The version number of the software distribution client.
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
- **DeviceModel** What is the device model.
- **DeviceOEM** What OEM does this device belong to.
- **DeviceModel** The model of the device.
- **DeviceOEM** Identifies the Original Equipment Manufacturer (OEM) of the device.
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
- **Edition** Indicates the edition of Windows being used.
- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads.
- **Edition** Identifies the edition of Windows currently running on the device.
- **EventInstanceID** A globally unique identifier for event instance.
- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
- **EventNamespaceID** The ID of the test events environment.
- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed.
- **EventType** Identifies the type of the event (Child, Bundle, or Driver).
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
@ -4016,39 +4215,39 @@ The following fields are available:
- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
- **HostName** The hostname URL the content is downloading from.
- **HostName** The parent URL the content is downloading from.
- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
- **IsAOACDevice** Is it Always On, Always Connected?
- **IsAOACDevice** Indicates whether the device is an Always On, Always Connected (AOAC) device.
- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
- **NetworkCostBitMask** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content.
- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
- **PackageFullName** The package name of the content.
- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
- **PlatformRole** The PowerPlatformRole as defined on MSDN
- **PlatformRole** The role of the OS platform (Desktop, Mobile, Workstation, etc.).
- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector.
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
- **RevisionNumber** Identifies the revision number of this specific piece of content.
- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
- **ShippingMobileOperator** The mobile operator that a device shipped on.
- **RevisionNumber** The revision number of the specified piece of content.
- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.).
- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package.
- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded.
- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded.
- **UpdateId** An identifier associated with the specific piece of content.
- **UpdateID** An identifier associated with the specific piece of content.
- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
- **UsedDO** Whether the download used the delivery optimization service.
- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional.
- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service.
- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
- **WUSetting** Indicates the users' current updating settings.
@ -4221,7 +4420,7 @@ The following fields are available:
- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
- **ExtendedStatusCode** The secondary status code of the event.
- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed.
- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
@ -4232,7 +4431,7 @@ The following fields are available:
- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
- **SHA256OfTimestampToken** An encoded string of the timestamp token.
- **SignatureAlgorithm** The hash algorithm for the metadata signature.
- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
- **StatusCode** The status code of the event.
@ -4452,6 +4651,22 @@ The following fields are available:
- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
- **ErrorCode** The error code returned for the current install phase.
- **FlightId** Unique ID for each flight.
- **ObjectId** Unique value for each Update Agent mode.
- **RelatedCV** Correlation vector value generated from the latest USO scan.
- **Result** Outcome of the install phase of the update.
- **ScenarioId** Indicates the update scenario.
- **SessionId** Unique value for each update attempt.
- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
@ -4483,6 +4698,26 @@ The following fields are available:
- **UpdateId** Unique ID for each Update.
### Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
- **ElapsedTickCount** Time taken for expand phase.
- **EndFreeSpace** Free space after expand phase.
- **EndSandboxSize** Sandbox size after expand phase.
- **ErrorCode** The error code returned for the current install phase.
- **FlightId** Unique ID for each flight.
- **ObjectId** Unique value for each Update Agent mode.
- **RelatedCV** Correlation vector value generated from the latest USO scan.
- **ScenarioId** Indicates the update scenario.
- **SessionId** Unique value for each update attempt.
- **StartFreeSpace** Free space before expand phase.
- **StartSandboxSize** Sandbox size after expand phase.
- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
@ -4501,6 +4736,22 @@ The following fields are available:
- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgentInstall
This event sends data for the install phase of updating Windows.
The following fields are available:
- **ErrorCode** The error code returned for the current install phase.
- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
- **ObjectId** Correlation vector value generated from the latest USO scan.
- **RelatedCV** Correlation vector value generated from the latest USO scan.
- **Result** The result for the current install phase.
- **ScenarioId** Indicates the update scenario.
- **SessionId** Unique value for each update attempt.
- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgentMitigationResult
This event sends data indicating the result of each update agent mitigation.
@ -4578,6 +4829,18 @@ The following fields are available:
## Upgrade events
### FacilitatorTelemetry.DCATDownload
This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
### FacilitatorTelemetry.InitializeDU
This event determines whether devices received additional or critical supplemental content during an OS upgrade.
### Setup360Telemetry.Downlevel
This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
@ -4865,7 +5128,7 @@ The following fields are available:
- **RebootReason** Reason for the reboot.
## Microsoft Store events
## Windows Store events
### Microsoft.Windows.Store.Partner.ReportApplication
@ -5623,17 +5886,17 @@ This event indicates that a scan for a Windows Update occurred.
The following fields are available:
- **deferReason** Reason why the device could not check for updates.
- **detectionBlockreason** Reason for detection not completing.
- **deferReason** The reason why the device could not check for updates.
- **detectionBlockreason** The reason detection did not complete.
- **detectionDeferreason** A log of deferral reasons for every update state.
- **errorCode** The returned error code.
- **errorCode** The error code returned for the current process.
- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
- **flightID** The specific ID of the Windows Insider build the device is getting.
- **interactive** Indicates whether the session was user initiated.
- **revisionNumber** Update revision number.
- **updateId** Update ID.
- **updateScenarioType** The update session type.
- **wuDeviceid** Unique device ID used by Windows Update.
- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
- **interactive** Indicates whether the user initiated the session.
- **revisionNumber** The Update revision number.
- **updateId** The unique identifier of the Update.
- **updateScenarioType** Identifies the type of update session being performed.
- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.Download
@ -5696,7 +5959,7 @@ The following fields are available:
- **deferReason** Reason for install not completing.
- **errorCode** The error code reppresented by a hexadecimal value.
- **eventScenario** End-to-end update session ID.
- **flightID** The specific ID of the Windows Insider build the device is getting.
- **flightID** The ID of the Windows Insider build the device is getting.
- **flightUpdate** Indicates whether the update is a Windows Insider build.
- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
@ -5741,14 +6004,26 @@ This event is sent after a Windows update install completes.
The following fields are available:
- **batteryLevel** Current battery capacity in mWh or percentage left.
- **bundleId** Identifier associated with the specific content bundle.
- **batteryLevel** Current battery capacity in megawatt-hours (mWh) or percentage left.
- **bundleId** The unique identifier associated with the specific content bundle.
- **bundleRevisionnumber** Identifies the revision number of the content bundle.
- **errorCode** The error code returned for the current phase.
- **eventScenario** State of update action.
- **flightID** Unique update ID.
- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
- **sessionType** The Windows Update session type (Interactive or Background).
- **wuDeviceid** Unique device ID used by Windows Update.
- **wuDeviceid** The unique device identifier used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed.
The following fields are available:
- **powermenuNewOptions** The new options after the power menu changed.
- **powermenuOldOptions** The old options before the power menu changed.
- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to a update, this indicates how long that reboot has been pending.
- **wuDeviceid** The device ID recorded by Windows Update if the power menu changed because a reboot is pending due to an update.
### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
@ -5953,7 +6228,7 @@ The following fields are available:
- **revisionNumber** Revision number of the OS.
- **scheduledRebootTime** Time scheduled for the reboot.
- **updateId** Identifies which update is being scheduled.
- **wuDeviceid** Unique device ID used by Windows Update.
- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
@ -5985,12 +6260,44 @@ The following fields are available:
## Windows Update mitigation events
### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
The following fields are available:
- **ClientId** The client ID used by Windows Update.
- **FlightId** The ID of each Windows Insider build the device received.
- **InstanceId** A unique device ID that identifies each update instance.
- **MitigationScenario** The update scenario in which the mitigation was executed.
- **MountedImageCount** The number of mounted images.
- **MountedImageMatches** The number of mounted image matches.
- **MountedImagesFailed** The number of mounted images that could not be removed.
- **MountedImagesRemoved** The number of mounted images that were successfully removed.
- **MountedImagesSkipped** The number of mounted images that were not found.
- **RelatedCV** The correlation vector value generated from the latest USO scan.
- **Result** HResult of this operation.
- **ScenarioId** ID indicating the mitigation scenario.
- **ScenarioSupported** Indicates whether the scenario was supported.
- **SessionId** Unique value for each update attempt.
- **UpdateId** Unique ID for each Windows Update.
- **WuId** Unique ID for the Windows Update client.
### Mitigation360Telemetry.MitigationCustom.FixupEditionId
This event sends data specific to the FixupEditionId mitigation used for OS Updates.
## Windows Update Reserve Manager events
### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment.
## Winlogon events
### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon

793
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

File diff suppressed because it is too large Load Diff

811
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

File diff suppressed because it is too large Load Diff

888
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
View File

File diff suppressed because it is too large Load Diff

42
windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md Normal file
View File

@ -0,0 +1,42 @@
---
title: WebAuthn APIs
description: Enabling password-less authentication for your sites and apps
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: aabhathipsay
ms.author: aathipsa
ms.localizationpriority: medium
ms.date: 02/15/2019
---
# WebAuthn APIs for password-less authentication on Windows 10
### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can leverage password-less authentication.
Microsoft has long been a proponent to do away with passwords.
While working towards that goal, we'd like to introduce you to the latest Windows 10 (version 1903) W3C/FIDO2 Win32 WebAuthn platform APIs!
These APIs allow Microsoft developer partners and the developer community to leverage Windows Hello and FIDO2 security keys
as a password-less authentication mechanism for their applications on Windows 10 devices.
#### What does this mean?
This opens opportunities for developers or relying parties (RPs) to enable password-less authentication.
They can now leverage [Windows Hello](https://aka.ms/whfb) or [FIDO2 Security Keys](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key)
as a password-less multi-factor credential for authentication.
<br>
Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication
and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs site!
<br> <br>
The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later
and latest versions of other browsers.
<br> <br>
Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users.
Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC and BLE
without having to deal with the interaction and management overhead.
This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO related messaging.
#### Where can developers learn more?
The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)

4
windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
View File

@ -104,7 +104,7 @@ Sign in the domain controller with _domain administrator_ equivalent credentials
##### Add accounts to the Phonefactor Admins group
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organizations Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**.
2. In the navigation pane, expand the node with the organizations Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**.
3. Click the **Members** tab.
4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.
* The computer account for the primary MFA Server
@ -224,7 +224,7 @@ See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Wi
Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server.
>[!IMPORTANT]
>Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article.
>Only follow the above mention article to install Azure MFA Server. Once it is installed, continue configuration using this article.
### Configuring Company Settings

9
windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 02/04/2019
ms.date: 02/19/2019
---
# BitLocker: How to deploy on Windows Server 2012 and later
@ -41,12 +41,7 @@ Windows PowerShell offers administrators another option for BitLocker feature in
 
### Using the servermanager module to install BitLocker
The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. This can be determined using the `Get-WindowsFeature` cmdlet with a query such as:
``` syntax
Get-WindowsFeature Bit
```
The results of this command displays a table of all of the feature names beginning with “Bit” as their prefix. This allows you to confirm that the feature name is `BitLocker` for the BitLocker feature.
The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell.

2
windows/security/information-protection/encrypted-hard-drive.md
View File

@ -62,7 +62,7 @@ For Encrypted Hard Drives used as **startup drives**:
 
## Technical overview
Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
## Configuring Encrypted Hard Drives as Startup drives

6
windows/security/threat-protection/TOC.md
View File

@ -7,7 +7,7 @@
##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
###### [System integrity](windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
@ -122,7 +122,9 @@
### [Configure and manage capabilities](windows-defender-atp/onboard.md)
#### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
####Hardware-based isolation
##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### Device control

5
windows/security/threat-protection/intelligence/coinminer-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Coin miners

5
windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 07/12/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Coordinated Malware Eradication

5
windows/security/threat-protection/intelligence/criteria.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/01/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# How Microsoft identifies malware and potentially unwanted applications

5
windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 07/12/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Industry collaboration programs

12
windows/security/threat-protection/intelligence/developer-faq.md
View File

@ -10,7 +10,10 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 07/01/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Software developer FAQ
@ -18,9 +21,11 @@ ms.date: 07/01/2018
This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
## Does Microsoft accept files for a known list or false-positive prevention program?
No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers.
## How do I dispute the detection of my program?
Submit the file in question as a software developer. Wait until your submission has a final determination.
If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
@ -28,14 +33,17 @@ If you're not satisfied with our determination of the submission, use the develo
We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software.
## Why is Microsoft asking for a copy of my program?
This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
## Why does Microsoft classify my installer as a software bundler?
It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted.
## Why is the Windows Firewall blocking my program?
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.

7
windows/security/threat-protection/intelligence/developer-info.md
View File

@ -10,13 +10,18 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 07/13/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Information for developers
Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions.
## In this section
Topic | Description
:---|:---
[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers.

11
windows/security/threat-protection/intelligence/developer-resources.md
View File

@ -6,11 +6,14 @@ search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 07/13/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Software developer resources
@ -19,7 +22,9 @@ Concerned about the detection of your software?
If you believe that your application or program has been incorrectly detected by Microsoft security software, submit the relevant files for analysis.
Check out the following resources for information on how to submit and view submissions:
- [Submit files](https://www.microsoft.com/en-us/wdsi/filesubmission)
- [View your submissions](https://www.microsoft.com/en-us/wdsi/submissionhistory)
## Additional resources
@ -34,4 +39,4 @@ Find more guidance about the file submission and detection dispute process in ou
### Scan your software
Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) to check your software against the latest Security intelligence and cloud protection from Microsoft.
Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.

7
windows/security/threat-protection/intelligence/exploits-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Exploits and exploit kits
@ -26,7 +29,7 @@ The infographic below shows how an exploit kit might attempt to exploit a device
![example of how exploit kits work](./images/ExploitKit.png)
*Example of how exploit kits work*
*Figure 1. Example of how exploit kits work*
Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.

11
windows/security/threat-protection/intelligence/fileless-threats.md
View File

@ -6,9 +6,12 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
ms.author: eravena
author: eavena
ms.date: 09/14/2018
ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Fileless threats
@ -91,6 +94,6 @@ Having described the broad categories, we can now dig into the details and provi
## Defeating fileless malware
At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)

7
windows/security/threat-protection/intelligence/index.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Security intelligence
@ -19,6 +22,6 @@ Here you will find information about different types of malware, safety tips on
* [Submit files for analysis](submission-guide.md)
* [Safety Scanner download](safety-scanner-download.md)
Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
Keep up with the latest malware news and research. Check out our [Windows security blogs](https://cloudblogs.microsoft.com/microsoftsecure/?product=windows,windows-defender-advanced-threat-protection) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
Learn more about [Windows security](https://docs.microsoft.com/windows/security/index).

5
windows/security/threat-protection/intelligence/macro-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Macro malware

5
windows/security/threat-protection/intelligence/malware-naming.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Malware names

5
windows/security/threat-protection/intelligence/phishing.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Phishing

15
windows/security/threat-protection/intelligence/prevent-malware-infection.md
View File

@ -8,14 +8,15 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Prevent malware infection
Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay protected and minimize threats to your data and accounts.
You can also browse the many [software and application solutions](https://review.docs.microsoft.com/en-us/windows/security/intelligence/prevent-malware-infection?branch=wdsi-migration-stuff#software-solutions) available to you.
## Keep software up-to-date
[Exploits](exploits-malware.md) typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits anymore.
@ -28,7 +29,7 @@ Email and other messaging tools are a few of the most common ways your device ca
* Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](https://support.office.com/article/Anti-spam-and-anti-malware-protection-in-Office-365-5ce5cf47-2120-4e51-a403-426a13358b7e) has built-in antimalware, link protection, and spam filtering.
For more information, see [Phishing](phishing.md).
For more information, see [phishing](phishing.md).
## Watch out for malicious or compromised websites
@ -50,7 +51,7 @@ Using pirated content is not only illegal, it can also expose your device to mal
Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/windows-10-s?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/en-us/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
## Don't attach unfamiliar removable drives
@ -94,7 +95,7 @@ Microsoft provides comprehensive security capabilities that help protect against
* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.
* [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
* [Microsoft Safety Scanner](safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
* [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
@ -114,4 +115,4 @@ Microsoft provides comprehensive security capabilities that help protect against
Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects.
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).

5
windows/security/threat-protection/intelligence/ransomware-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Ransomware

7
windows/security/threat-protection/intelligence/rootkits-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Rootkits
@ -50,7 +53,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isnt detecting it, you might need an extra tool that lets you boot to a known trusted environment.
[Windows Defender Offline](https://windows.microsoft.com/windows/what-is-windows-defender-offline) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. Its designed to be used on devices that aren't working correctly due to a possible malware infection.
[Windows Defender Offline](https://support.microsoft.com/help/17466/windows-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. Its designed to be used on devices that aren't working correctly due to a possible malware infection.
[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.

24
windows/security/threat-protection/intelligence/safety-scanner-download.md
View File

@ -6,11 +6,15 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
ms.date: 08/01/2018
ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Safety Scanner
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733)
@ -24,12 +28,14 @@ Safety Scanner only scans when manually triggered and is available for use 10 da
> **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
## System requirements
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
## How to run a scan
1. Download this tool and open it.
2. Select the type of scan you want run and start the scan.
3. Review the scan results displayed on screen. The tool lists all identified malware.
3. Review the scan results displayed on screen. For detailed detection results, view the log at **%SYSTEMROOT%\debug\msert.log**.
To remove this tool, delete the executable file (msert.exe by default).
@ -37,9 +43,9 @@ For more information about the Safety Scanner, see the support article on [how t
## Related resources
- [Troubleshooting Safety Scanner](https://support.microsoft.com/kb/2520970)
- [Windows Defender Antivirus](https://www.microsoft.com/en-us/windows/windows-defender)
- [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner)
- [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security)
- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download)
- [Removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection)
- [Submit file for malware analysis](https://www.microsoft.com/en-us/wdsi/filesubmission)
- [Microsoft antimalware and threat protection solutions](https://www.microsoft.com/en-us/wdsi/products)
- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware)
- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission)
- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)

5
windows/security/threat-protection/intelligence/submission-guide.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/01/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Submit files for analysis

5
windows/security/threat-protection/intelligence/supply-chain-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Supply chain attacks

7
windows/security/threat-protection/intelligence/support-scams.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Tech support scams
@ -60,4 +63,4 @@ Help Microsoft stop scammers, whether they claim to be from Microsoft or from an
**www.microsoft.com/reportascam**
You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality.
You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.

10
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -8,11 +8,15 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Top scoring in industry tests
Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
## Endpoint detection & response
@ -106,8 +110,8 @@ SE Labs tests a range of solutions used by products and services to detect and/o
It is important to remember that Microsoft sees a wider and broader set of threats beyond whats tested in the evaluations highlighted above. For example, in an average month, we identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
The capabilities within [Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
![ATP](./images/wdatp-pillars2.png)

7
windows/security/threat-protection/intelligence/trojans-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Trojans
@ -37,6 +40,6 @@ Use the following free Microsoft software to detect and remove it:
- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
- [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner)
- [Microsoft Safety Scanner](safety-scanner-download.md)
For more general tips, see [prevent malware infection](prevent-malware-infection.md).

9
windows/security/threat-protection/intelligence/understanding-malware.md
View File

@ -1,6 +1,6 @@
---
title: Understanding malware & other threats
description: Learn about the world's most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them.
description: Learn about the most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent &amp; remove them.
keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi
ms.prod: w10
ms.mktglfcycl: secure
@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Understanding malware & other threats
@ -16,7 +19,7 @@ Malware is a term used to describe malicious applications and code that can caus
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf), businesses can stay protected with next-generation protection and other security capabilities.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)), businesses can stay protected with next-generation protection and other security capabilities.
For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.

9
windows/security/threat-protection/intelligence/unwanted-software.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Unwanted software
@ -30,7 +33,7 @@ Here are some indications of unwanted software:
Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser.
Microsoft uses an extensive [evaluation criteria](https://www.microsoft.com/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria) to identify unwanted software.
Microsoft uses an extensive [evaluation criteria](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria) to identify unwanted software.
## How to protect against unwanted software
@ -57,4 +60,4 @@ If you only recently noticed symptoms of unwanted software infection, consider s
You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome.
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).

7
windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 07/12/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Virus Information Alliance
@ -46,4 +49,4 @@ To be eligible for VIA your organization must:
3. Be willing to sign and adhere to the VIA membership agreement.
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).

7
windows/security/threat-protection/intelligence/virus-initiative-criteria.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 07/12/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Virus Initiative
@ -54,4 +57,4 @@ Your organization must meet the following eligibility requirements to participat
### Apply now
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).

5
windows/security/threat-protection/intelligence/worms-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Worms

23
windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: jsuther1974
ms.date: 02/28/2018
ms.date: 02/19/2019
---
# Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business
@ -16,4 +16,25 @@ ms.date: 02/28/2018
**Applies to:**
- Windows 10
- Windows Server 2019
- Windows Server 2016
You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
## Sign your code integrity policy
Before you get started, be sure to review these best practices:
**Best practices**
- Test your code integrity policies on a pilot group of devices before deploying them to production.
- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Deploy Windows Defender Application Control policy rules and file rules](hhttps://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create).
**To sign a code integrity policy**
1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, click **Store settings**, and then click **Device Guard**.
3. Click **Upload** to upload your code integrity policy.
4. After the files are uploaded, click **Sign** to sign the code integrity policy.
5. Click **Download** to download the signed code integrity policy.
When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again.

4
windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
ms.date: 02/07/2019
ms.date: 02/19/2019
---
# Prepare to install Windows Defender Application Guard
@ -58,7 +58,7 @@ Employees can use hardware-isolated browsing sessions without any administrator
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests tooad non-enterprise domain(s) in the container.
You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container.
The following diagram shows the flow between the host PC and the isolated container.
![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png)

7
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -5,7 +5,7 @@
#### [Hardware-based isolation](overview-hardware-based-isolation.md)
##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
##### [System isolation](how-hardware-based-containers-help-protect-windows.md)
##### [System integrity](../windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
@ -120,7 +120,9 @@
## [Configure and manage capabilities](onboard.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
###Hardware-based isolation
#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
#### [Application isolation](../windows-defender-application-guard/install-wd-app-guard.md)
##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### Device control
@ -136,7 +138,6 @@
#### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
#### [Attack surface reduction controls](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)

3
windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
# Enable conditional access to better protect users, devices, and data
@ -57,7 +56,7 @@ There are three ways to address a risk:
2. Resolve active alerts on the machine. This will remove the risk from the machine.
3. You can remove the machine from the active policies and consequently, conditional access will not be applied on the machine.
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](#configure-conditional-access).
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md).
When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.

58
windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md
View File

@ -1,58 +0,0 @@
---
title: How hardware-based containers help protect Windows 10 (Windows 10)
description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
author: justinha
ms.date: 08/01/2018
---
# Windows Defender System Guard: How hardware-based containers help protect Windows 10
Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make the these security guarantees:
- Protect and maintain the integrity of the system as it starts up
- Protect and maintain the integrity of the system after it's running
- Validate that system integrity has truly been maintained through local and remote attestation
## Maintaining the integrity of the system as it starts
With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the devices Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
After successful verification and startup of the devices firmware and Windows bootloader, the next opportunity for attackers to tamper with the systems integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection.
This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the systems antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasnt been compromised before the remainder of your system defenses start.
![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
## Maintaining integrity of the system after its running (run time)
Prior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. The level of control that an attacker would acquire in this condition would enable them to tamper with and bypass many, if not all, of your system defenses. While we have a number of development practices and technologies (such as Windows Defender Exploit Guard) that have made it difficult to gain this level of privilege in Windows 10, the reality is that we needed a way to maintain the integrity of the most sensitive Windows services and data, even when the highest level of privilege has been secured by an adversary.
With Windows 10, we introduced the concept of virtualization-based security (VBS), which enables us to contain the most sensitive Windows services and data in hardware-based isolation, which is the Windows Defender System Guard container. This secure environment provides us with the hardware-based security boundary we need to be able to secure and maintain the integrity of critical system services at run time like Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender Exploit Guard, just to name a few.
![Windows Defender System Guard](images/windows-defender-system-guard.png)
## Validating platform integrity after Windows is running (run time)
While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we cant just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the devices integrity.
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the devices Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the devices firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)

22
windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -26,11 +26,15 @@ ms.topic: conceptual
The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink)
Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
For more information on capabilities that are generally available or in preview, see [What's new in Windows Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp).
)
## Turn on preview features
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
Turn on the preview experience setting to be among the first to try upcoming features.
@ -39,22 +43,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
## Preview features
The following features are included in the preview release:
- [Information protection](information-protection-in-windows-overview.md)<br>
Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)<br>
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
- [Onboard Windows Server 2019](configure-server-endpoints-windows-defender-advanced-threat-protection.md#windows-server-version-1803-and-windows-server-2019) <br>
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)

7
windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md
View File

@ -35,13 +35,16 @@ The following steps guide you on how to create roles in Windows Defender Securit
3. Enter the role name, description, and permissions you'd like to assign to the role.
- **Role name**
- **Description**
- **Permissions**
- **View data** - Users can view information in the portal.
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
>[!NOTE]
>This setting is only available in the Windows Defender ATP administrator (default) role.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
4. Click **Next** to assign the role to an Azure AD group.

109
windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md
View File

@ -5,72 +5,89 @@ keywords: what's new in windows defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.mktglfcycl: secure
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.topic: conceptual
---
# What's new in Windows Defender ATP
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Here are the new features in the latest release of Windows Defender ATP.
Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server.
## Windows Defender ATP 1809
- [Incidents](incidents-queue.md)<br>
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
## February 2019
The following capabilities are generally available (GA).
- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue) <BR> Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
- [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)<br> Support for iOS and Android devices are now supported.
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)<BR> Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)<br>
Controlled folder access is now supported on Windows Server 2019.
- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<br>
All Attack surface reduction rules are now supported on Windows Server 2019.
For Windows 10, version 1809 there are two new attack surface reduction rules:
## October 2018
The following capabilities are generally available (GA).
- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<BR>All Attack surface reduction rules are now supported on Windows Server 2019.
- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)<BR> Controlled folder access is now supported on Windows Server 2019.
- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<BR>With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<BR> Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)<BR> Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)<BR>Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.
- [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)<BR> iOS and Android devices are now supported and can be onboarded to the service.
- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)<BR>
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- New in Windows 10 version 1809, there are two new attack surface reduction rules:
- Block Adobe Reader from creating child processes
- Block Office communication application from creating child processes.
- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
- Windows Defender Antivirus can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
- Windows Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
- [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans.
### In preview
The following capabilities are included in the October 2018 preview release.
- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)<br>
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
For more information on how to turn on preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<br>
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
- [Information protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview)<BR>
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)<br>
Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
>[!NOTE]
>Partially available from Windows 10, version 1809.
- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<br>
Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) <BR> Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)<br>
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
>[!NOTE]
>Available from Windows 10, version 1809 or later.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) <br>
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) <BR> Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)<br>
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
- [Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) <br>
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)<br>
Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.
## Windows Defender ATP 1803
- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
## March 2018
- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) <BR>
Query data using Advanced hunting in Windows Defender ATP.
- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<BR>
New attack surface reduction rules:
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
@ -78,15 +95,29 @@ New attack surface reduction rules:
- Block untrusted and unsigned processes that run from USB
- Block executable content from email client and webmail
- [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<BR> Use Automated investigations to investigate and remediate threats.
- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) <br>
>[!NOTE]
>Available from Windows 10, version 1803 or later.
- [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) <br> Enable conditional access to better protect users, devices, and data.
- [Windows Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)<BR>
The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)<BR>
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br>
Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus).
- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) <br> Query data using Advanced hunting in Windows Defender ATP
- [Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)<BR>
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network.
- [Automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br> Use Automated investigations to investigate and remediate threats
- [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)<BR>
Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal.
- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<BR>
Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus).
- [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) <br> Enable conditional access to better protect users, devices, and data

225
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -1,6 +1,6 @@
---
title: Use attack surface reduction rules to prevent malware infection
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 11/29/2018
---
# Reduce attack surfaces with attack surface reduction rules
@ -20,26 +19,25 @@ ms.date: 11/29/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides:
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019.
To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks
- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled
- Obfuscated or otherwise suspicious scripts
- Behaviors that apps don't usually initiate during normal day-to-day work
When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
Attack surface reduction is supported on Windows 10, version 1709 and later and Windows Server 2019.
Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender ATP Security Center and on the M365 console.
## Requirements
Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
## Attack surface reduction rules
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table.
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy:
Rule name | GUID
-|-
@ -50,7 +48,7 @@ Block Office applications from injecting code into other processes | 75668C1F-73
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
@ -58,147 +56,186 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9
Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
### Rule: Block executable content from email client and webmail
Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
### Block executable content from email client and webmail
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Script archive files
### Rule: Block all Office applications from creating child processes
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
SCCM name: Block executable content from email client and webmail
>[!NOTE]
>This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes).
GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Block all Office applications from creating child processes
### Rule: Block Office applications from creating executable content
This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
Intune name: Office apps launching child processes
### Rule: Block Office applications from injecting code into other processes
SCCM name: Block Office application from creating child processes
Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes.
GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
### Block Office applications from creating executable content
### Rule: Block JavaScript or VBScript From launching downloaded executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
Intune name: Office apps/macros creating executable content
### Rule: Block execution of potentially obfuscated scripts
SCCM name: Block Office applications from creating executable content
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
This rule prevents scripts that appear to be obfuscated from running.
### Block Office applications from injecting code into other processes
### Rule: Block Win32 API calls from Office macro
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
This rule applies to Word, Excel, and PowerPoint.
This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
Intune name: Office apps injecting code into other processes (no exceptions)
### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
SCCM name: Block Office applications from injecting code into other processes
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
### Block JavaScript or VBScript from launching downloaded executable content
Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run.
>[!IMPORTANT]
>File and folder exclusions don't apply to this attack surface reduction rule.
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
SCCM name: Block JavaScript or VBScript from launching downloaded executable content
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
### Block execution of potentially obfuscated scripts
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
Intune name: Obfuscated js/vbs/ps/macro code
SCCM name: Block execution of potentially obfuscated scripts.
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
### Block Win32 API calls from Office macros
Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
Intune name: Win32 imports from Office macro code
SCCM name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
- Executable files (such as .exe, .dll, or .scr)
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
### Rule: Use advanced protection against ransomware
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
### Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Intune name: Advanced ransomware protection
SCCM name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!NOTE]
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
>In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
### Rule: Block process creations originating from PSExec and WMI commands
Intune name: Flag credential stealing from the Windows local security authority subsystem
SCCM name: Block credential stealing from the Windows local security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
### Block process creations originating from PSExec and WMI commands
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
>[!WARNING]
>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
>[!IMPORTANT]
>File and folder exclusions do not apply to this attack surface reduction rule.
### Rule: Block untrusted and unsigned processes that run from USB
>[!WARNING]
>Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
Intune name: Process creation from PSExec and WMI commands
SCCM name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
### Block untrusted and unsigned processes that run from USB
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block Office communication application from creating child processes
Intune name: Untrusted and unsigned processes that run from USB
Outlook will not be allowed to create child processes.
SCCM name: Block untrusted and unsigned processes that run from USB
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
### Block Office communication application from creating child processes
This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
>[!NOTE]
>This rule applies to Outlook only.
>This rule applies to Outlook and Outlook.com only.
### Rule: Block Adobe Reader from creating child processes
Intune name: Not yet available
This rule blocks Adobe Reader from creating child processes.
SCCM name: Not yet available
## Review attack surface reduction rule events in the Windows Defender ATP Security Center
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
### Block Adobe Reader from creating child processes
You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled.
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
## Review attack surface reduction rule events in Windows Event Viewer
Intune name: Not applicable
You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
SCCM name: Not applicable
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
5. Click **OK**.
6. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
Event ID | Description
-|-
5007 | Event when settings are changed
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
### Event fields
- **ID**: matches with the Rule-ID that triggered the block/audit.
- **Detection time**: Time of detection
- **Process Name**: The process that performed the "operation" that was blocked/audited
- **Description**: Additional details about the event or audit, including Security intelligence, engine, and product version of Windows Defender Antivirus
## Attack surface reduction rules in Windows 10 Enterprise E3
A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3).
## In this section
Topic | Description
---|---
[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file.
## Related topics
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)

147
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,47 +11,72 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/17/2018
---
# Enable attack surface reduction rules
**Applies to:**
[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
## Exclude files and folders from ASR rules
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
>[!WARNING]
>Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
>
>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
>[!IMPORTANT]
>File and folder exclusions do not apply to the following ASR rules:
>
>- Block process creations originating from PSExec and WMI commands
>- Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
## Enable and audit attack surface reduction rules
You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
>[!WARNING]
>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup.
Attack surface reduction rules are identified by their unique rule ID.
For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md).
You can manually add the rules by using the GUIDs in the following table:
Each ASR rule contains three settings:
Rule description | GUID
-|-
Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9B1eeee46550
Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a
Block Office applications from creating executable content | 3b576869-a4eC-4529-8536-b80a7769e899
Block Office applications from injecting code into other processes | 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84
Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d
Block execution of potentially obfuscated scripts | 5beb7efe-fd9A-4556-801d-275e5ffc04cc
Block Win32 API calls from Office macro | 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
* Not configured: Disable the ASR rule
* Block: Enable the ASR rule
* Audit: Evaluate how the ASR rule would impact your organization if enabled
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
### Use Group Policy to enable or audit attack surface reduction rules
### Enable ASR rules in Intune
1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*.
2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule.
3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one.
### Enable ASR rules in SCCM
For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy).
### Enable ASR rules with Group Policy
>[!WARNING]
>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -59,32 +84,43 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- Block mode = 1
- Disabled = 0
- Audit mode = 2
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png)
### Use PowerShell to enable or audit attack surface reduction rules
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Enable ASR rules with PowerShell
>[!WARNING]
>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
```
You can enable the feature in audit mode using the following cmdlet:
To enable ASR rules in audit mode, use the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
```
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
>[!IMPORTANT>
>You must specify the state individually for each rule, but you can combine rules and states in a comma seperated list.
To turn off ASR rules, use the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled
```
>[!IMPORTANT]
>You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
>
>In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
>
@ -92,20 +128,51 @@ Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
>Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
>```
You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
>[!WARNING]
>`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
>You can obtain a list of rules and their current state by using `Get-MpPreference`
3. To exclude files and folders from ASR rules, use the following cmdlet:
### Use MDM CSPs to enable attack surface reduction rules
```PowerShell
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
```
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Enable ASR rules with MDM CSPs
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
The values to enable, disable, or enable in audit mode are:
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Example:
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Value: c:\path|e:\path|c:\Whitelisted.exe
>[!NOTE]
>Be sure to enter OMA-URI values without spaces.
## Related topics
- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
- [Customize attack surface reduction](customize-attack-surface-reduction.md)
- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 02/14/2019
---
# Enable controlled folder access
@ -20,7 +20,7 @@ ms.date: 10/02/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).

6
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 02/14/2019
---
# Enable exploit protection
@ -20,9 +20,9 @@ ms.date: 08/08/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
## Enable and audit exploit protection

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 02/14/2019
---
# Enable network protection
@ -20,7 +20,7 @@ ms.date: 05/30/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).

4
windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 11/29/2018
ms.date: 02/14/2019
---
# Protect your network
@ -71,7 +71,7 @@ You can review the Windows event log to see events that are created when network
1125 | Event when network protection fires in audit mode
1126 | Event when network protection fires in block mode
## In this section
## Related topics
Topic | Description
---|---

5
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
View File

@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 09/18/2018
---
# Troubleshoot attack surface reduction rules
@ -40,7 +39,7 @@ Attack surface reduction rules will only work on devices with the following cond
> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
@ -61,7 +60,7 @@ Follow the instructions in [Use the demo tool to see how attack surface reductio
Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.

83
windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md Normal file
View File

@ -0,0 +1,83 @@
---
title: How a hardware-based root of trust helps protect Windows 10 (Windows 10)
description: Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits.
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.date: 02/14/2019
---
# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
- Protect and maintain the integrity of the system as it starts up
- Validate that system integrity has truly been maintained through local and remote attestation
## Maintaining the integrity of the system as it starts
### Static Root of Trust for Measurement (SRTM)
With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
This hardware-based root of trust comes from the devices Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known 'good' SRTM measurements (also known as a whitelist).
Each option has a drawback:
- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed.
- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow.
In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.
### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
![System Guard Secure Launch](images/system-guard-secure-launch.png)
Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
### System Management Mode (SMM) protection
System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if DRTM is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
To defend against this, two techniques are used:
1. Paging protection to prevent inappropriate access to code and data
2. SMM hardware supervision and attestation
Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering.
This prevents access to any memory that has not been specifically assigned.
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to.
SMM protection is built on top of the Secure Launch technology and requires it to function.
In the future, Windows 10 will also measure this SMI Handlers behavior and attest that no OS-owned memory has been tampered with.
## Validating platform integrity after Windows is running (run time)
While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we cant just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the devices integrity.
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the devices Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the devices firmware, hardware configuration state, and Windows boot-related components, just to name a few.
![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.

BIN
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 152 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 240 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

66
windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md Normal file
View File

@ -0,0 +1,66 @@
---
title: System Guard Secure Launch and SMM protection (Windows 10)
description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.date: 02/14/2019
---
# System Guard Secure Launch and SMM protection
This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 devices.
## How to enable System Guard Secure Launch
You can enable System Guard Secure Launch by using any of these options:
- [Mobile Device Management (MDM)](#mobile-device-management)
- [Group Policy](#group-policy)
- [Windows Security app](#windows-security-app)
- [Registry](#registry)
### Mobile Device Management
System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, specifically [DeviceGuard/ConfigureSystemGuardLaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch).
### Group Policy
1. Click **Start** > type and then click **Edit group policy**.
2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
![Secure Launch Group Policy](images/secure-launch-group-policy.png)
### Windows Security app
Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
![Secure Launch Security App](images/secure-launch-security-app.png)
### Registry
1. Open Registry editor.
2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**.
3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**.
4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**.
5. Double-click **Enabled**, change the value to **1**, and click **OK**.
![Secure Launch Registry](images/secure-launch-registry.png)
## How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
![Secure Launch Security App](images/secure-launch-msinfo.png)