mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 14:57:23 +00:00
Merge pull request #8852 from MicrosoftDocs/lsaldanha-4715491-batch3
updated-4715491
This commit is contained in:
Daniel Simpson
GitHub
commit
5926a94a42
@ -57,9 +57,9 @@ You can [configure how locally and globally defined exclusions lists are merged]
|
||||
|
||||
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
|
||||
|
||||
### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans
|
||||
### Use Microsoft Endpoint Manager to exclude files that have been opened by specified processes from scans
|
||||
|
||||
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
|
||||
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch).
|
||||
|
||||
### Use Group Policy to exclude files that have been opened by specified processes from scans
|
||||
|
||||
|
||||
@ -42,13 +42,13 @@ You'll also see additional links for:
|
||||
Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
|
||||
---|---|---|---
|
||||
Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management)
|
||||
Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
|
||||
Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
|
||||
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
|
||||
PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][]
|
||||
Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
|
||||
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD.
|
||||
|
||||
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
|
||||
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
|
||||
|
||||
2. <span id="fn2" />In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
|
||||
|
||||
|
||||
@ -99,9 +99,9 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic
|
||||
|
||||
#### Use Configuration Manager to configure PUA protection
|
||||
|
||||
PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch).
|
||||
PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch).
|
||||
|
||||
See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch).
|
||||
See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Manager (Current Branch).
|
||||
|
||||
For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
|
||||
|
||||
@ -157,7 +157,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
|
||||
|
||||
### View PUA events
|
||||
|
||||
PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune.
|
||||
PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune.
|
||||
|
||||
You can turn on email notifications to receive mail about PUA detections.
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c
|
||||
|
||||
### Use Configuration Manager to check for protection updates before running a scan
|
||||
|
||||
1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
|
||||
1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
|
||||
|
||||
2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@ If Microsoft Defender Antivirus did not download protection updates for a specif
|
||||
|
||||
### Use Configuration Manager to configure catch-up protection updates
|
||||
|
||||
1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
|
||||
1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
|
||||
|
||||
2. Go to the **Security intelligence updates** section and configure the following settings:
|
||||
|
||||
@ -166,7 +166,7 @@ See the following for more information and allowed parameters:
|
||||
|
||||
### Use Configuration Manager to configure catch-up scans
|
||||
|
||||
1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
|
||||
1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
|
||||
|
||||
2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**.
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@ You can also randomize the times when each endpoint checks and downloads protect
|
||||
|
||||
## Use Configuration Manager to schedule protection updates
|
||||
|
||||
1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
|
||||
1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
|
||||
|
||||
2. Go to the **Security intelligence updates** section.
|
||||
|
||||
|
||||
@ -71,7 +71,7 @@ Each source has typical scenarios that depend on how your network is configured,
|
||||
|Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.|
|
||||
|Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.|
|
||||
|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
|
||||
|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.|
|
||||
|Microsoft Endpoint Manager | You are using Microsoft Endpoint Manager to update your endpoints.|
|
||||
|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
|
||||
|
||||
You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
|
||||
@ -111,7 +111,7 @@ The procedures in this article first describe how to set the order, and then how
|
||||
|
||||
## Use Configuration Manager to manage the update location
|
||||
|
||||
See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
|
||||
See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Manager (current branch).
|
||||
|
||||
|
||||
## Use PowerShell cmdlets to manage the update location
|
||||
|
||||
@ -58,7 +58,7 @@ See the [Manage Microsoft Defender Antivirus Security intelligence updates](man
|
||||
|
||||
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint.
|
||||
|
||||
The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints.
|
||||
The need to perform an offline scan will also be revealed in Microsoft Endpoint Manager if you're using it to manage your endpoints.
|
||||
|
||||
The prompt can occur via a notification, similar to the following:
|
||||
|
||||
@ -70,7 +70,7 @@ In Configuration Manager, you can identify the status of endpoints by navigating
|
||||
|
||||
Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
|
||||
|
||||
|
||||
|
||||
|
||||
## Configure notifications
|
||||
<a name="manage-notifications"></a>
|
||||
|
||||
@ -27,7 +27,7 @@ manager: dansimp
|
||||
|
||||
Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
|
||||
|
||||
With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
|
||||
With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
|
||||
|
||||
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings.
|
||||
|
||||
|
||||
@ -42,7 +42,7 @@ A full scan can be useful on endpoints that have reported a malware threat. The
|
||||
> [!NOTE]
|
||||
> By default, quick scans run on mounted removable devices, such as USB drives.
|
||||
|
||||
## Use Microsoft Endpoint Configuration Manager to run a scan
|
||||
## Use Microsoft Endpoint Manager to run a scan
|
||||
|
||||
1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
|
||||
2. Choose **Endpoint security** > **Antivirus**.
|
||||
|
||||
@ -29,7 +29,7 @@ You can specify your level of cloud-delivered protection offered by Microsoft De
|
||||
|
||||
> [!TIP]
|
||||
> Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates.
|
||||
> Microsoft Intune and Microsoft Endpoint Configuration Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
|
||||
> Microsoft Intune and Microsoft Endpoint Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
|
||||
|
||||
|
||||
## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune
|
||||
description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection
|
||||
description: Use Microsoft Endpoint Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection
|
||||
keywords: scep, intune, endpoint protection, configuration
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -16,7 +16,7 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
---
|
||||
|
||||
# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
|
||||
# Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
@ -25,7 +25,7 @@ manager: dansimp
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
|
||||
If you were using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
|
||||
If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
|
||||
|
||||
1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**.
|
||||
|
||||
|
||||
@ -68,7 +68,7 @@ The following table describes the differences in cloud-delivered protection betw
|
||||
|Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No |
|
||||
|Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable |
|
||||
|System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable |
|
||||
|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable |
|
||||
|Microsoft Endpoint Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable |
|
||||
|Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable |
|
||||
|
||||
You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates).
|
||||
@ -82,6 +82,6 @@ You can also [configure Microsoft Defender Antivirus to automatically receive ne
|
||||
|
||||
- [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
|
||||
|
||||
- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
|
||||
- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Manager and Group Policy.
|
||||
|
||||
- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
|
||||
- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Manager and Group Policy.
|
||||
|
||||
@ -33,9 +33,9 @@ For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoin
|
||||
|
||||
Application Guard has been created to target several types of devices:
|
||||
|
||||
- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
|
||||
- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
|
||||
|
||||
- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
|
||||
- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
|
||||
|
||||
- **Bring your own device (BYOD) mobile laptops**. These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@ If you plan to manage your machines using a management tool, you can onboard dev
|
||||
For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
|
||||
|
||||
> [!WARNING]
|
||||
> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
|
||||
> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
|
||||
|
||||
> [!TIP]
|
||||
> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
|
||||
|
||||
@ -147,7 +147,7 @@ The "engine version" listed for attack surface reduction events in the event log
|
||||
|
||||
The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name.
|
||||
|
||||
If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs.
|
||||
If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs.
|
||||
|
||||
|
||||
| Rule name | GUID | File & folder exclusions | Minimum OS supported |
|
||||
@ -235,11 +235,11 @@ This rule was introduced in:
|
||||
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
|
||||
- [Microsoft Endpoint Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
|
||||
|
||||
Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)`
|
||||
|
||||
Microsoft Endpoint Configuration Manager name: `Block executable content from email client and webmail`
|
||||
Microsoft Endpoint Manager name: `Block executable content from email client and webmail`
|
||||
|
||||
GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ ms.date: 02/07/2020
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- Microsoft Endpoint Configuration Manager current branch
|
||||
- Microsoft Endpoint Manager current branch
|
||||
- System Center 2012 R2 Configuration Manager
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
|
||||
@ -167,9 +167,9 @@ For security reasons, the package used to Offboard devices will expire 30 days a
|
||||
> [!NOTE]
|
||||
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
|
||||
|
||||
### Offboard devices using Microsoft Endpoint Configuration Manager current branch
|
||||
### Offboard devices using Microsoft Endpoint Manager current branch
|
||||
|
||||
If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file).
|
||||
If you use Microsoft Endpoint Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file).
|
||||
|
||||
### Offboard devices using System Center 2012 R2 Configuration Manager
|
||||
|
||||
@ -195,7 +195,7 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create
|
||||
|
||||
## Monitor device configuration
|
||||
|
||||
If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
|
||||
If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
|
||||
|
||||
If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:
|
||||
|
||||
|
||||
@ -41,7 +41,7 @@ The following deployment tools and methods are supported:
|
||||
Topic | Description
|
||||
:---|:---
|
||||
[Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices.
|
||||
[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
|
||||
[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
|
||||
[Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
|
||||
[Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
|
||||
[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices.
|
||||
|
||||
@ -48,7 +48,7 @@ You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows
|
||||
|
||||
- **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)
|
||||
- **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center)
|
||||
- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later)
|
||||
- **Option 3**: [Onboard through Microsoft Endpoint Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later)
|
||||
|
||||
|
||||
After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
|
||||
@ -133,9 +133,9 @@ After completing the onboarding steps, you'll need to [Configure and update Syst
|
||||
> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started.
|
||||
> - This is also required if the server is configured to use an OMS Gateway server as proxy.
|
||||
|
||||
### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later
|
||||
You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint
|
||||
in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
|
||||
### Option 3: Onboard Windows servers through Microsoft Endpoint Manager version 2002 and later
|
||||
You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint
|
||||
in Microsoft Endpoint Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
|
||||
|
||||
After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
|
||||
|
||||
@ -149,7 +149,7 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo
|
||||
- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md)
|
||||
|
||||
> [!NOTE]
|
||||
> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
|
||||
> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
|
||||
> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.
|
||||
|
||||
Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions.
|
||||
|
||||
@ -77,7 +77,7 @@ All these capabilities are available for Microsoft Defender for Endpoint license
|
||||
|
||||
### In scope
|
||||
|
||||
- Use of Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities
|
||||
- Use of Microsoft Endpoint Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities
|
||||
|
||||
- Enabling Defender for Endpoint endpoint detection and response (EDR) capabilities
|
||||
|
||||
|
||||
@ -45,7 +45,7 @@ You can enable attack surface reduction rules by using any of these methods:
|
||||
- [Group Policy](#group-policy)
|
||||
- [PowerShell](#powershell)
|
||||
|
||||
Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
|
||||
Enterprise-level management such as Intune or Microsoft Endpoint Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
|
||||
|
||||
## Exclude files and folders from ASR rules
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
|
||||
|
||||
> [!TIP]
|
||||
> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
|
||||
You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
|
||||
You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
|
||||
|
||||
## Review controlled folder access events in Windows Event Viewer
|
||||
|
||||
|
||||
@ -39,7 +39,7 @@ The following table lists various tools/methods you can use, with links to learn
|
||||
|---------|---------|
|
||||
|**[Threat and vulnerability management dashboard insights](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) |The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture. <br/><br/>See [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) and [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). |
|
||||
|**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. <br/><br/>See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md). |
|
||||
|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Configuration Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.<br/><br/>See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
|
||||
|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.<br/><br/>See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
|
||||
|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs). <br/><br/>See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
|
||||
|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*<br/><br/>You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).<br/><br/>You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).<br/><br/>You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ Acknowledging that customer environments and structures can vary, Defender for E
|
||||
|
||||
## Endpoint onboarding and portal access
|
||||
|
||||
Device onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other third-party tools used for devices management.
|
||||
Device onboarding is fully integrated into Microsoft Endpoint Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other third-party tools used for devices management.
|
||||
|
||||
Defender for Endpoint provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
|
||||
- Globally distributed organizations and security teams
|
||||
|
||||
@ -208,7 +208,7 @@ For more information, see [Microsoft Defender Antivirus compatibility](../micros
|
||||
## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
|
||||
If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard.
|
||||
|
||||
If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).
|
||||
If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Onboarding using Microsoft Endpoint Configuration Manager
|
||||
title: Onboarding using Microsoft Endpoint Manager
|
||||
description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager
|
||||
keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -19,7 +19,7 @@ ms.collection:
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Onboarding using Microsoft Endpoint Configuration Manager
|
||||
# Onboarding using Microsoft Endpoint Manager
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
@ -51,7 +51,7 @@ created for testing.
|
||||
|
||||
Onboarding using tools such as Group policy or manual method does not install any agent on the system.
|
||||
|
||||
Within the Microsoft Endpoint Configuration Manager console
|
||||
Within the Microsoft Endpoint Manager console
|
||||
the onboarding process will be configured as part of the compliance settings
|
||||
within the console.
|
||||
|
||||
@ -61,47 +61,47 @@ continues to receive this policy from the management point.
|
||||
|
||||
Follow the steps below to onboard endpoints using Microsoft Endpoint Configuration Manager.
|
||||
|
||||
1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
|
||||
1. In Microsoft Endpoint Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Right Click **Device Collection** and select **Create Device Collection**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Select **Add Rule** and choose **Query Rule**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Select **Criteria** and then choose the star icon.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Select **Next** and **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
9. Select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
|
||||
|
||||
|
||||
## Step 2: Configure Microsoft Defender for Endpoint capabilities
|
||||
This section guides you in configuring the following capabilities using Microsoft Endpoint Configuration Manager on Windows devices:
|
||||
This section guides you in configuring the following capabilities using Microsoft Endpoint Manager on Windows devices:
|
||||
|
||||
- [**Endpoint detection and response**](#endpoint-detection-and-response)
|
||||
- [**Next-generation protection**](#next-generation-protection)
|
||||
@ -131,11 +131,11 @@ Manager and deploy that policy to Windows 10 devices.
|
||||
|
||||
6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Click **Browse**.
|
||||
|
||||
@ -156,7 +156,7 @@ Manager and deploy that policy to Windows 10 devices.
|
||||
|
||||
15. Click **Close** when the Wizard completes.
|
||||
|
||||
16. In the Microsoft Endpoint Configuration Manager console, right-click the Defender for Endpoint policy you just created and select **Deploy**.
|
||||
16. In the Microsoft Endpoint Manager console, right-click the Defender for Endpoint policy you just created and select **Deploy**.
|
||||
|
||||
|
||||
|
||||
@ -219,7 +219,7 @@ Once completed, you should see onboarded endpoints in the portal within an hour.
|
||||
### Next generation protection
|
||||
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
|
||||
|
||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
|
||||
1. In the Microsoft Endpoint Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
|
||||
|
||||
|
||||
|
||||
@ -271,9 +271,9 @@ All these features provide an audit mode and a block mode. In audit mode there i
|
||||
|
||||
To set ASR rules in Audit mode:
|
||||
|
||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
1. In the Microsoft Endpoint Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
2. Select **Attack Surface Reduction**.
|
||||
@ -281,26 +281,26 @@ To set ASR rules in Audit mode:
|
||||
|
||||
3. Set rules to **Audit** and click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Confirm the new Exploit Guard policy by clicking on **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
5. Once the policy is created click **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
6. Right-click on the newly created policy and choose **Deploy**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Target the policy to the newly created Windows 10 collection and click **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
After completing this task, you now have successfully configured ASR rules in audit mode.
|
||||
|
||||
@ -329,7 +329,7 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros
|
||||
|
||||
|
||||
#### Set Network Protection rules in Audit mode:
|
||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
1. In the Microsoft Endpoint Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
|
||||
|
||||
|
||||
@ -349,42 +349,42 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros
|
||||
|
||||
6. Right-click on the newly created policy and choose **Deploy**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Select the policy to the newly created Windows 10 collection and choose **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
After completing this task, you now have successfully configured Network
|
||||
Protection in audit mode.
|
||||
|
||||
#### To set Controlled Folder Access rules in Audit mode:
|
||||
|
||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
1. In the Microsoft Endpoint Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Select **Controlled folder access**.
|
||||
|
||||
3. Set the configuration to **Audit** and click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Confirm the new Exploit Guard Policy by clicking on **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Once the policy is created click on **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Right-click on the newly created policy and choose **Deploy**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Target the policy to the newly created Windows 10 collection and click **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
You have now successfully configured Controlled folder access in audit mode.
|
||||
|
||||
|
||||
@ -329,121 +329,121 @@ The steps below provide guidance for the following scenario:
|
||||
|
||||
1. Create an application in Microsoft Endpoint Configuration Manager.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Select **Manually specify the application information**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Specify information about the application, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Specify information about the software center, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. In **Deployment types** select **Add**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Select **Manually specify the deployment type information**, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Specify information about the deployment type, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. In **Content** > **Installation program** specify the command: `net start sense`.
|
||||
|
||||
|
||||
|
||||
|
||||
9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**.
|
||||
|
||||
|
||||
|
||||
|
||||
10. Specify the following detection rule details, then select **OK**:
|
||||
|
||||
|
||||
|
||||
|
||||
11. In **Detection method** select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
12. In **User Experience**, specify the following information, then select **Next**:
|
||||
|
||||
|
||||
|
||||
|
||||
13. In **Requirements**, select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
14. In **Dependencies**, select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
15. In **Summary**, select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
16. In **Completion**, select **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
17. In **Deployment types**, select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
18. In **Summary**, select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
The status is then displayed:
|
||||
|
||||
|
||||
|
||||
19. In **Completion**, select **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
20. You can now deploy the application by right-clicking the app and selecting **Deploy**.
|
||||
|
||||
|
||||
|
||||
|
||||
21. In **General** select **Automatically distribute content for dependencies** and **Browse**.
|
||||
|
||||
|
||||
|
||||
|
||||
22. In **Content** select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
23. In **Deployment settings**, select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
26. In **Alerts** select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
27. In **Summary**, select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
The status is then displayed
|
||||
|
||||
|
||||
|
||||
28. In **Completion**, select **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user