deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-26 15:53:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into surface-2s-update-vjokai

Browse Source
This commit is contained in:
John Kaiser
2019-10-22 10:13:02 -07:00
parent 3cd2b374af a4140c4c5b
commit 6386c29c06
11 changed files with 330 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
.openpublishing.redirection.json
View File

@ -732,7 +732,7 @@
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package",
"redirect_document_id": true
},
{
@ -747,62 +747,62 @@
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection",
"redirect_url": "https://docs.microsoft.com/windows/security/microsoft-defender-atp/customize-exploit-protection",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection",
"redirect_document_id": true
},
{
@ -822,12 +822,12 @@
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/graphics",
"redirect_document_id": true
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml",
"redirect_document_id": true
},
{
@ -842,22 +842,22 @@
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/prerelease",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prerelease",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations",
"redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np",
"redirect_document_id": true
},
{
@ -3158,7 +3158,7 @@
},
{
"source_path": "windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection",
"redirect_document_id": true
},
{
@ -12198,8 +12198,8 @@
},
{
"source_path": "windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
"redirect_document_id": true
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/requirements-for-deploying-applocker-policies.md",

57
windows/client-management/mdm/defender-csp.md
View File

@ -9,7 +9,8 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 07/19/2018
ms.localizationpriority: medium
ms.date: 10/21/2019
---
# Defender CSP
@ -138,7 +139,7 @@ The following list shows the supported values:
- 2 = Manual steps required
- 3 = Full scan required
- 4 = Reboot required
- 5 = Remediated with non critical failures
- 5 = Remediated with noncritical failures
- 6 = Quarantined
- 7 = Removed
- 8 = Cleaned
@ -243,7 +244,7 @@ The following list shows the supported values:
- 2 = Pending reboot
- 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan)
- 8 = Pending offline scan
- 16 = Pending critical failure (Windows Defender has failed critically and an Adminsitrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)
- 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)
Supported operation is Get.
@ -352,6 +353,53 @@ The data type is a string.
Supported operation is Get.
<a href="" id="health-tamperprotectionenabled"></a>**Health/TamperProtectionEnabled**
Indicates whether the Windows Defender tamper protection feature is enabled.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-isvirtualmachine"></a>**Health/IsVirtualMachine**
Indicates whether the device is a virtual machine.
The data type is a string.
Supported operation is Get.
<a href="" id="configuration"></a>**Configuration**
An interior node to group Windows Defender configuration information.
Supported operation is Get.
<a href="" id="configuration-tamperprotection"></a>**Configuration/TamperProtection**
Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
The data type is a Signed blob.
Supported operations are Add, Delete, Get, Replace.
Intune tamper protection setting UX supports three states:
- Not configured (default): Does not have any impact on the default state of the device.
- Enabled: Enables the tamper protection feature.
- Disabled: Turns off the tamper protection feature.
When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
<a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.
The data type is a integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
- 1 Enable.
- 0 (default) Disable.
<a href="" id="scan"></a>**Scan**
Node that can be used to start a Windows Defender scan on a device.
@ -374,5 +422,4 @@ Supported operations are Get and Execute.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

111
windows/client-management/mdm/defender-ddf.md
View File

@ -9,7 +9,8 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 07/12/2018
ms.localizationpriority: medium
ms.date: 10/21/2019
---
# Defender DDF file
@ -19,7 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Defende
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is for Windows 10, version 1809.
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -628,6 +629,112 @@ The XML below is for Windows 10, version 1809.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TamperProtectionEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsVirtualMachine</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Configuration</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TamperProtection</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnableFileHashComputation</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Scan</NodeName>

BIN
windows/client-management/mdm/images/provisioning-csp-defender.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 80 KiB

14
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -165,7 +165,7 @@ ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswo
<li><a href="policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon" data-raw-source="[WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)">WindowsLogon/ConfigAutomaticRestartSignOn</a></li>
<li><a href="policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation" data-raw-source="[WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)">WindowsLogon/EnableFirstLogonAnimation</a></li>
<tr>
<td style="vertical-align:top"><a href="policy-csp-audit.md" data-raw-source="[Policy CSP - Audit](applicationcontrol-csp.md)">Policy CSP - Audit</a></td>
<td style="vertical-align:top"><a href="policy-csp-audit.md" data-raw-source="[Policy CSP - Audit](policy-csp-audit.md)">Policy CSP - Audit</a></td>
<td style="vertical-align:top"><p>Added new Audit policies in Windows 10, version 1903.</p>
</td></tr>
<tr>
@ -175,6 +175,10 @@ ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswo
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1903.</p>
</td></tr>
<tr>
<td style="vertical-align:top"><a href="defender-csp.md" data-raw-source="[Defender CSP](defender-csp.md)">Defender CSP</a></td>
<td style="vertical-align:top"><p>Added the following new nodes:<br>Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.</p>
</td></tr>
<tr>
<td style="vertical-align:top"><a href="diagnosticlog-csp.md" data-raw-source="[DiagnosticLog CSP](diagnosticlog-csp.md)">DiagnosticLog CSP</a><br>
<a href="diagnosticlog-ddf.md" data-raw-source="[DiagnosticLog DDF](diagnosticlog-ddf.md)">DiagnosticLog DDF</a></td>
<td style="vertical-align:top"><p>Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:<br>
@ -1929,17 +1933,19 @@ What data is handled by dmwappushsvc? | It is a component handling the internal
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. |
## Change history in MDM documentation
### October 2019
|New or updated topic | Description|
|--- | ---|
|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:<br>ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID|
|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:<br>ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.|
|[Defender CSP](defender-csp.md)|Added the following new nodes:<br>Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.|
### September 2019
|New or updated topic | Description|
|--- | ---|
|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:<br>IsStub|
|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:<br>IsStub.|
|[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.|
|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies: <br>DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.|
@ -1958,7 +1964,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.|
|[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:<br>SecurityKey, SecurityKey/UseSecurityKeyForSignin|
|[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:<br>LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock|
|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:<br>Create a custom configuration service provider<br>Design a custom configuration service provider<br>IConfigServiceProvider2<br>IConfigServiceProvider2::ConfigManagerNotification<br>IConfigServiceProvider2::GetNode<br>ICSPNode<br>ICSPNode::Add<br>ICSPNode::Clear<br>ICSPNode::Copy<br>ICSPNode::DeleteChild<br>ICSPNode::DeleteProperty<br>ICSPNode::Execute<br>ICSPNode::GetChildNodeNames<br>ICSPNode::GetProperty<br>ICSPNode::GetPropertyIdentifiers<br>ICSPNode::GetValue<br>ICSPNode::Move<br>ICSPNode::SetProperty<br>ICSPNode::SetValue<br>ICSPNodeTransactioning<br>ICSPValidate<br>Samples for writing a custom configuration service provider|
|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:<br>Create a custom configuration service provider<br>Design a custom configuration service provider<br>IConfigServiceProvider2<br>IConfigServiceProvider2::ConfigManagerNotification<br>IConfigServiceProvider2::GetNode<br>ICSPNode<br>ICSPNode::Add<br>ICSPNode::Clear<br>ICSPNode::Copy<br>ICSPNode::DeleteChild<br>ICSPNode::DeleteProperty<br>ICSPNode::Execute<br>ICSPNode::GetChildNodeNames<br>ICSPNode::GetProperty<br>ICSPNode::GetPropertyIdentifiers<br>ICSPNode::GetValue<br>ICSPNode::Move<br>ICSPNode::SetProperty<br>ICSPNode::SetValue<br>ICSPNodeTransactioning<br>ICSPValidate<br>Samples for writing a custom configuration service provider.|
### June 2019

3
windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
# Enable Secure Score security controls
@ -27,7 +26,7 @@ ms.date: 04/24/2018
Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
Set the baselines for calculating the score of security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
>[!NOTE]
>Changes might take up to a few hours to reflect on the dashboard.

59
windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
View File

@ -1,7 +1,7 @@
---
title: See how exploit protection works in a demo
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -10,9 +10,9 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
author: denisebmsft
ms.author: deniseb
ms.date: 10/21/2019
ms.reviewer:
manager: dansimp
---
@ -23,21 +23,16 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices.
It consists of a number of mitigations that can be applied to either the operating system or an individual app.
Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](emet-exploit-protection.md) are included in exploit protection.
This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur.
> [!TIP]
> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
## Enable exploit protection in audit mode
You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows PowerShell.
### Windows Security app
@ -45,12 +40,12 @@ You can set mitigations in audit mode for specific programs either by using the
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply mitigations to:
3. Go to **Program settings** and choose the app you want to apply protection to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
@ -76,14 +71,14 @@ Where:
* \<Mitigation>:
* The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
Mitigation | Audit mode cmdlet
-|-
Arbitrary code guard (ACG) | AuditDynamicCode
Block low integrity images | AuditImageLoad
Block untrusted fonts | AuditFont, FontAuditOnly
Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned
Disable Win32k system calls | AuditSystemCall
Do not allow child processes | AuditChildProcess
|Mitigation | Audit mode cmdlet |
|---|---|
|Arbitrary code guard (ACG) | AuditDynamicCode |
|Block low integrity images | AuditImageLoad
|Block untrusted fonts | AuditFont, FontAuditOnly |
|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
|Disable Win32k system calls | AuditSystemCall |
|Do not allow child processes | AuditChildProcess |
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
@ -97,14 +92,14 @@ You can disable audit mode by replacing `-Enable` with `-Disable`.
To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
Feature | Provider/source | Event ID | Description
-|-|-|-
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
|Feature | Provider/source | Event ID | Description |
|---|---|--|---|
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
## Related topics

2
windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 010/08/2018
ms.date: 10/08/2018
---
# Manage Microsoft Defender ATP incidents

97
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
View File

@ -188,7 +188,102 @@ You may now enroll more devices. You can also enroll them later, after you have
</plist>
```
9. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.wdavtray</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>mdatp - allow notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:

10
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
View File

@ -118,6 +118,16 @@ Save the **Configuration Profile**.
Use the **Logs** tab to monitor deployment status for each enrolled device.
### Notification settings
Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate configuration profile and assign it to all machines with Defender:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict><key>PayloadContent</key><array><dict><key>NotificationSettings</key><array><dict><key>AlertType</key><integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.microsoft.autoupdate2</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key><integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict><dict><key>AlertType</key><integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.microsoft.wdavtray</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key><integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict></array><key>PayloadDescription</key><string/><key>PayloadDisplayName</key><string>notifications</string><key>PayloadEnabled</key><true/><key>PayloadIdentifier</key><string>BB977315-E4CB-4915-90C7-8334C75A7C64</string><key>PayloadOrganization</key><string>Microsoft</string><key>PayloadType</key><string>com.apple.notificationsettings</string><key>PayloadUUID</key><string>BB977315-E4CB-4915-90C7-8334C75A7C64</string><key>PayloadVersion</key><integer>1</integer></dict></array><key>PayloadDescription</key><string/><key>PayloadDisplayName</key><string>mdatp - allow notifications</string><key>PayloadEnabled</key><true/><key>PayloadIdentifier</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string><key>PayloadOrganization</key><string>Microsoft</string><key>PayloadRemovalDisallowed</key><false/><key>PayloadScope</key><string>System</string><key>PayloadType</key><string>Configuration</string><key>PayloadUUID</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string><key>PayloadVersion</key><integer>1</integer></dict></plist>
```
### Package
1. Create a package in **Settings > Computer Management > Packages**.

2
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
View File

@ -72,7 +72,7 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
### From the command line
- ```sudo rm -rf '/Applications/Microsoft Defender ATP'```
- ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
## Configuring from the command line