From 958aa64dbe0b7ab20c74e166962681a83802ca9e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 7 Nov 2018 15:45:54 -0800 Subject: [PATCH 1/6] detection --- windows/security/threat-protection/index.md | 4 ++-- .../windows-defender-advanced-threat-protection.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index a83dc7afac..028116204e 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -63,8 +63,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT -**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
-Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**[Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. - [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) - [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index abe99e8194..6d9b834f75 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/26/2018 +ms.date: 11/07/2018 --- # Windows Defender Advanced Threat Protection @@ -76,8 +76,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT -**[Endpoint protection and response](overview-endpoint-detection-response.md)**
-Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**[Endpoint detection and response](overview-endpoint-detection-response.md)**
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. From 9a85f729b1272874335ba14559dc8d0879dfb639 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=20Halfin=20=F0=9F=93=AC=F0=9F=94=A8?= Date: Thu, 8 Nov 2018 00:24:20 +0000 Subject: [PATCH 2/6] Merged PR 12677: Updates for zero exhaust --- ...system-components-to-microsoft-services.md | 143 ++++++++++++++---- windows/privacy/manage-windows-endpoints.md | 8 +- 2 files changed, 116 insertions(+), 35 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 865d98939f..3ac0a072a3 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -18,6 +18,7 @@ ms.date: 06/05/2018 - Windows 10 Enterprise, version 1607 and newer - Windows Server 2016 +- Windows Server 2019 If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). @@ -43,6 +44,12 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +## What's new in Windows 10, version 1809 Enterprise edition + +Here's a list of changes that were made to this article for Windows 10, version 1809: + +- Added a policy to disable Windows Defender SmartScreen + ## What's new in Windows 10, version 1803 Enterprise edition Here's a list of changes that were made to this article for Windows 10, version 1803: @@ -99,19 +106,19 @@ The following table lists management options for each setting, beginning with Wi | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | | -| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | @@ -142,6 +149,7 @@ The following table lists management options for each setting, beginning with Wi | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | @@ -202,6 +210,63 @@ See the following table for a summary of the management settings for Windows Ser | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | +### Settings for Windows Server 2019 + +See the following table for a summary of the management settings for Windows Server 2019. + +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | | +|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | | | | +| [20. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | +| [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + ## How to configure each setting Use the following sections for more information about how to configure each setting. @@ -336,9 +401,17 @@ After that, configure the following: ### 4. Device metadata retrieval -To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. +To prevent Windows from retrieving device metadata from the Internet: -You can also create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. + + -or - + +- Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). + + -or - + +- Apply the DeviceInstallation/PreventDeviceMetadataFromNetwork MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). ### 5. Find My Device @@ -608,7 +681,7 @@ You can turn off NCSI by doing one of the following: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** -- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy. +- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1. > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. @@ -879,31 +952,13 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros -or- -- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. - In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. - - In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. - In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. - - -or- - -- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. - - -or- - - Create a provisioning package, using: - - - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** - - - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** + - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen** + - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen** -or- -- Create a REG\_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero). - - -or- - -- Create a REG\_DWORD registry setting named **EnableSmartScreen** in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). +- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero). To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: @@ -1793,6 +1848,36 @@ For Windows 10 only, you can stop Enhanced Notifications: You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. +### 23.1 Windows Defender SmartScreen + +To disable Windows Defender Smartscreen: + +- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -or- + +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -and- + +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable** + + -or- + +- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero). + + -and- + +- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1. + + -and- + +- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**. + + -or- + +- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + ### 24. Windows Media Player To remove Windows Media Player on Windows 10: diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-endpoints.md index 721814aabe..c324f877dd 100644 --- a/windows/privacy/manage-windows-endpoints.md +++ b/windows/privacy/manage-windows-endpoints.md @@ -145,13 +145,9 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | ctldl.windowsupdate.com | 1709 | - -The following endpoints are used to download certificates that are publicly known to be fraudulent. +Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. From a675e587ef27e741cf6f4fd61f1dcab201d77af8 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 8 Nov 2018 00:25:07 +0000 Subject: [PATCH 3/6] Merged PR 12668: Hybrid AD join for Autopilot New content --- windows/deployment/windows-autopilot/TOC.md | 2 + .../windows-autopilot/user-driven-aad.md | 54 ++++++++++++------- .../windows-autopilot/user-driven-hybrid.md | 25 +++++++-- .../windows-autopilot/user-driven.md | 23 +++----- 4 files changed, 67 insertions(+), 37 deletions(-) diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 315115e706..19d3896e66 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -6,6 +6,8 @@ ## [Scenarios and Capabilities](windows-autopilot-scenarios.md) ### [Support for existing devices](existing-devices.md) ### [User-driven mode](user-driven.md) +#### [User-driven mode for AAD](user-driven-aad.md) +#### [User-driven mode for hybrid AAD](user-driven-hybrid.md) ### [Self-deploying mode](self-deploying.md) ### [Enrollment status page](enrollment-status.md) ### [Windows Autopilot Reset](windows-autopilot-reset.md) diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md index 6da9e99b33..b63517060d 100644 --- a/windows/deployment/windows-autopilot/user-driven-aad.md +++ b/windows/deployment/windows-autopilot/user-driven-aad.md @@ -1,19 +1,35 @@ ---- -title: User-driven mode for AAD -description: Listing of Autopilot scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 10/02/2018 ---- - -# Windows Autopilot user-driven mode for Azure Active Directory - -**Applies to: Windows 10** - -PLACEHOLDER. This topic is a placeholder for the AAD-specific instuctions currently in user-driven.md. +--- +title: User-driven mode for AAD +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/07/2018 +--- + +# Windows Autopilot user-driven mode for Azure Active Directory join + +**Applies to: Windows 10** + +## Procedures + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each device that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index 6f4a760dcc..88e4a87f15 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -9,12 +9,31 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/07/2018 --- -# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join +# Windows Autopilot user-driven mode for hybrid Azure Active Directory join **Applies to: Windows 10** -PLACEHOLDER. This topic is a placeholder for the AD-specific (hybrid) instuctions. +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). + +## Requirements + +To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: + +- Users must be able to join devices to Azure Active Directory. +- A Windows Autopilot profile for user-driven mode must be created and + - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. +- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. +- The device must be running Windows 10, version 1809 or later. +- The device must be connected to the Internet and have access to an Active Directory domain controller. +- The Intune Connector for Active Directory must be installed. + - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. + +## Step by step instructions + +See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 1aa1ad5321..4fd86ef3b5 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -8,11 +8,13 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/07/2018 ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/07/2018 --- +# Windows Autopilot user-driven mode + Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - Unbox the device, plug it in, and turn it on. @@ -24,21 +26,12 @@ After completing those simple steps, the remainder of the process is completely Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. -## Step by step +## Available user-driven modes -In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: +The following options are available for user-driven deployment: -- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. -- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each machine that will be deployed using user-driven deployment, these additional steps are needed: - -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. +- [Azure Active Directory join](user-driven-aad.md) is available if devices do not need to be joined to an on-prem Active Directory domain. +- [Hybrid Azure Active Directory join](user-driven-hybrid.md) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. ## Validation From 84b86cc5907bc150b48f9b847c05c0a038ed45f7 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 8 Nov 2018 13:41:55 +0000 Subject: [PATCH 4/6] Merged PR 12682: Change toc Change toc --- windows/deployment/windows-autopilot/TOC.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 19d3896e66..dab69519b0 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -6,8 +6,8 @@ ## [Scenarios and Capabilities](windows-autopilot-scenarios.md) ### [Support for existing devices](existing-devices.md) ### [User-driven mode](user-driven.md) -#### [User-driven mode for AAD](user-driven-aad.md) -#### [User-driven mode for hybrid AAD](user-driven-hybrid.md) +#### [Azure Active Directory joined](user-driven-aad.md) +#### [Hybrid Azure Active Directory joined](user-driven-hybrid.md) ### [Self-deploying mode](self-deploying.md) ### [Enrollment status page](enrollment-status.md) ### [Windows Autopilot Reset](windows-autopilot-reset.md) From 78c4b52b311ce3dd29b27cac41136b0be08a928f Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Thu, 8 Nov 2018 14:41:34 +0000 Subject: [PATCH 5/6] Updated investigate-alerts-windows-defender-advanced-threat-protection.md --- ...e-alerts-windows-defender-advanced-threat-protection.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 87f2d65c02..31561fac5b 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -54,14 +54,11 @@ Some actor profiles include a link to download a more comprehensive threat intel The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. ## Alert process tree -The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page. +The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page. ![Image of the alert process tree](images/atp-alert-process-tree.png) -The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in the minutes - before and after - the alert. - -The alert and related events or evidence have circles with thunderbolt icons inside them. - +The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Evidence items that are marked with a thunderbolt icon should be given priority during investigation. >[!NOTE] >The alert process tree might not be available in some alerts. From f1cfa3c9576b81975897b5d873db139330261b78 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Thu, 8 Nov 2018 15:04:17 +0000 Subject: [PATCH 6/6] Updated investigate-alerts-windows-defender-advanced-threat-protection.md --- ...tigate-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 31561fac5b..55f697cb46 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -58,7 +58,7 @@ The **Alert process tree** takes alert triage and investigation to the next leve ![Image of the alert process tree](images/atp-alert-process-tree.png) -The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Evidence items that are marked with a thunderbolt icon should be given priority during investigation. +The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation. >[!NOTE] >The alert process tree might not be available in some alerts.