deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into MDBranchPhase1ADMXBackedPoliciesSet3

Browse Source
This commit is contained in:
ManikaDhiman 2020-10-01 13:17:50 -07:00
commit 64838e173f
47 changed files with 430 additions and 412 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -16439,6 +16439,11 @@
"source_path": "windows/deployment/windows-autopilot/windows-autopilot.md",
"redirect_url": "https://docs.microsoft.com/mem/autopilot/windows-autopilot",
"redirect_document_id": true
},
{
"source_path": "windows/hub/windows-10.yml",
"redirect_url": "https://docs.microsoft.com/windows/windows-10",
"redirect_document_id": false
}
]
}

16
windows/client-management/mdm/healthattestation-csp.md
View File

@ -74,7 +74,7 @@ The following is a list of functions performed by the Device HealthAttestation C
<strong>DHA-Enabled MDM (Device HealthAttestation enabled device management solution)</strong>
<p style="margin-left: 20px">Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.</p>
<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromized by advanced security threats or running a malicious (jailbroken) operating system.</p>
<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.</p>
<p style="margin-left: 20px">The following list of operations are performed by DHA-Enabled-MDM:</p>
<ul>
<li>Enables the DHA feature on a DHA-Enabled device</li>
@ -195,10 +195,10 @@ The following diagram shows the Device HealthAttestation configuration service p
<p style="margin-left: 20px">The following list shows some examples of supported values. For the complete list of status see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.</p>
- 0 - (HEALTHATTESTATION\_CERT\_RETRI_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRI_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
- 3 - (HEALTHATTESTATION\_CERT\_RETRI_COMPLETE): DHA-Data is ready for pick up
- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up
<a href="" id="forceretrieve"></a>**ForceRetrieve** (Optional)
<p style="margin-left: 20px">Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.</p>
@ -220,7 +220,7 @@ The following diagram shows the Device HealthAttestation configuration service p
<a href="" id="correlationid"></a>**CorrelationId** (Required)
<p style="margin-left: 20px">Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.</p>
<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximun value is 2,147,483,647. The supported operation is Get.</p>
<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.</p>
<a href="" id="hasendpoint"></a>**HASEndpoint** (Optional)
<p style="margin-left: 20px">Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.</p>
@ -359,8 +359,8 @@ The following example shows a sample call that triggers collection and verificat
After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
- If the response is HEALTHATTESTATION\_CERT_RETRI_COMPLETE (3) then proceed to the next section.
- If the response is HEALTHATTESTATION_CERT_RETRI_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRI_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
- If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section.
- If the response is HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
Here is a sample alert that is issued by DHA_CSP:
@ -830,7 +830,7 @@ Each of these are described in further detail in the following sections, along w
<tr>
<td style="vertical-align:top">3</td>
<td style="vertical-align:top">HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE</td>
<td style="vertical-align:top">This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.</td>
<td style="vertical-align:top">This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.</td>
</tr>
<tr>
<td style="vertical-align:top">4</td>

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1014,9 +1014,6 @@ The following diagram shows the Policy configuration service provider in tree fo
### ADMX_Sharing policies
<dl>
<dd>
<a href="./policy-csp-admx-sharing.md#admx-sharing-disablehomegroup" id="admx-sharing-disablehomegroup">ADMX_Sharing/DisableHomeGroup</a>
</dd>
<dd>
<a href="./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing" id="admx-sharing-noinplacesharing">ADMX_Sharing/NoInplaceSharing</a>
</dd>

77
windows/client-management/mdm/policy-csp-admx-sharing.md
View File

@ -22,9 +22,6 @@ manager: dansimp
## ADMX_Sharing policies
<dl>
<dd>
<a href="#admx-sharing-disablehomegroup">ADMX_Sharing/DisableHomeGroup</a>
</dd>
<dd>
<a href="#admx-sharing-noinplacesharing">ADMX_Sharing/NoInplaceSharing</a>
</dd>
@ -32,80 +29,6 @@ manager: dansimp
<hr/>
<!--Policy-->
<a href="" id="admx-sharing-disablehomegroup"></a>**ADMX_Sharing/DisableHomeGroup**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can add computers to a homegroup. By default, users can add their computer to a homegroup on a private network.
If you enable this policy setting, users cannot add computers to a homegroup. This policy setting does not affect other network sharing features.
If you disable or do not configure this policy setting, users can add computers to a homegroup. However, data on a domain-joined computer is not shared with the homegroup.
This policy setting is not configured by default.
You must restart the computer for this policy setting to take effect.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent the computer from joining a homegroup*
- GP name: *DisableHomeGroup*
- GP path: *Windows Components\HomeGroup*
- GP ADMX file name: *Sharing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-sharing-noinplacesharing"></a>**ADMX_Sharing/NoInplaceSharing**

6
windows/client-management/mdm/policy-csp-update.md
View File

@ -1925,7 +1925,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
<!--/Description-->
<!--ADMXMapped-->
@ -2985,7 +2985,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
@ -3114,7 +3114,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.

1
windows/client-management/mdm/policy-csps-admx-backed.md
View File

@ -254,7 +254,6 @@ ms.date: 08/18/2020
- [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing)
- [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots)
- [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders)
- [ADMX_Sharing/DisableHomeGroup](./policy-csp-admx-sharing.md#admx-sharing-disablehomegroup)
- [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing)
- [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit)

1
windows/deployment/TOC.yml
View File

@ -199,6 +199,7 @@
- name: Data handling and privacy in Update Compliance
href: update/update-compliance-privacy.md
- name: Update Compliance schema reference
href: update/update-compliance-schema.md
items:
- name: WaaSUpdateStatus
href: update/update-compliance-schema-waasupdatestatus.md

5
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -30,9 +30,9 @@ version of the software.
We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*.
- **Feature updates:** Released twice per year, around March and September. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
- **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
@ -104,4 +104,3 @@ Your individual devices connect to Microsoft endpoints directly to get the updat
### Hybrid scenarios
It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.

30
windows/deployment/update/media-dynamic-update.md
View File

@ -79,7 +79,7 @@ This table shows the correct sequence for applying the various tasks to the file
|Add latest cumulative update | | 15 | 21 |
|Clean up the image | 7 | 16 | 22 |
|Add Optional Components | | | 23 |
|Add .Net and .Net cumulative updates | | | 24 |
|Add .NET and .NET cumulative updates | | | 24 |
|Export image | 8 | 17 | 25 |
### Multiple Windows editions
@ -90,7 +90,7 @@ The main operating system file (install.wim) contains multiple editions of Windo
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@ -107,7 +107,7 @@ These examples are for illustration only, and therefore lack error handling. The
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
```
```powershell
function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Write-Host "$(Get-TS): Starting media refresh"
@ -160,21 +160,21 @@ New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Keep the original media, make a copy of it for the new, updateed media.
# Keep the original media, make a copy of it for the new, updated media.
Write-Host "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
### Update WinRE
The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its s are used for updating other s. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
It finishes by cleaning and exporting the image to reduce the image size.
> [!NOTE]
> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary s in the recovery environment. The s that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary components in the recovery environment. The components that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
```
```powershell
# Mount the main operating system, used throughout the script
Write-Host "$(Get-TS): Mounting main OS"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
@ -255,7 +255,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
```
```powershell
#
# update Windows Preinstallation Environment (WinPE)
#
@ -345,11 +345,11 @@ Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
You can install Optional Components, along with the .NET feature, offline, but that will require the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
```
```powershell
#
# update Main OS
#
@ -398,14 +398,14 @@ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
#
# Note: If I wanted to enable additional Optional Components, I'd add these here.
# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
# In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
Write-Host "$(Get-TS): Adding NetFX3~~~~"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Add .Net Cumulative Update
# Add .NET Cumulative Update
Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
@ -422,7 +422,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests.
```
```powershell
#
# update remaining files on media
#
@ -435,7 +435,7 @@ cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PA
As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
```
```powershell
#
# Perform final cleanup
#

3
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -48,6 +48,9 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
> [!NOTE]
> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
### Group Policies
All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.

6
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -19,7 +19,11 @@ ms.topic: article
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
> [!NOTE]
> The Update Compliance configuration script does not offer options to configure Delivery Optimization. You have to do that separately.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
## How the script is organized

3
windows/deployment/update/update-compliance-schema.md
View File

@ -20,6 +20,9 @@ When the visualizations provided in the default experience don't fulfill your re
The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries).
> [!NOTE]
> Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics.
|Table |Category |Description |
|--|--|--|
|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |

2
windows/deployment/update/waas-overview.md
View File

@ -101,7 +101,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).

13
windows/deployment/update/waas-servicing-channels-windows-10-updates.md
View File

@ -52,10 +52,8 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
>[!IMPORTANT]
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
**To assign a single devices locally to the Semi-Annual Channel**
1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
2. Select **Defer feature updates**.
>[!NOTE]
>Devices will automatically recieve updates from the Semi-Annual Channel, unless they are configured to recieve preview updates through the Windows Insider Program.
**To assign devices to the Semi-Annual Channel by using Group Policy**
@ -99,7 +97,7 @@ For more information, see [Windows Insider Program for Business](waas-windows-in
## Block access to Windows Insider Program
To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
To prevent devices in your organization from being enrolled in the Insider Program for early releases of Windows 10:
- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
@ -164,10 +162,11 @@ During the life of a device, it might be necessary or desirable to switch betwee
## Block user access to Windows Update settings
In Windows 10, administrators can control user access to Windows Update.
By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
Administrators can disable the "Check for updates" option for users by enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features** . Any background update scans, downloads and installations will continue to work as configured. We don't recomment this setting if you have configured the device to "notify" to download or install as this policy will prevent the user from being able to do so.
>[!NOTE]
> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
> Starting with Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported.
## Steps to manage updates for Windows 10

2
windows/hub/TOC.md
View File

@ -1,4 +1,4 @@
# [Windows 10](index.md)
# [Windows 10](index.yml)
## [What's new](/windows/whats-new)
## [Release information](/windows/release-information)
## [Deployment](/windows/deployment)

68
windows/hub/index.md
View File

@ -1,68 +0,0 @@
---
title: Windows 10
description: Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
ms.prod: w10
ms.localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.reviewer: dansimp
manager: dansimp
---
# Windows 10
Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
&nbsp;
## Check out [what's new in Windows 10, version 2004](/windows/whats-new/whats-new-windows-10-version-2004).
<br>
<table border="0" width="100%" align="center">
<tr style="text-align:center;">
<td align="center" style="width:25%; border:0;">
<a href="/windows/whats-new/whats-new-windows-10-version-2004">
<img src="images/whatsnew.png" alt="Read what's new in Windows 10" title="Whats new" />
<br/>What's New? </a><br>
</td>
<td align="center">
<a href="/windows/configuration/index">
<img src="images/configuration.png" alt="Configure Windows 10 in your enterprise" title="Configure Windows 10" />
<br/>Configuration </a><br>
</td>
<td align="center">
<a href="/windows/deployment/index">
<img src="images/deployment.png" alt="Windows 10 deployment" title="Windows 10 deployment" />
<br/>Deployment </a><br>
</tr>
<tr style="text-align:center;">
<td align="center"><br>
<a href="/windows/application-management/index">
<img src="images/applicationmanagement.png" alt="Manage applications in your Windows 10 enterprise deployment" title="Application management" />
<br/>App Management </a>
</td>
<td align="center"><br>
<a href="/windows/client-management/index">
<img src="images/clientmanagement.png" alt="Windows 10 client management" title="Client management" />
<br/>Client Management </a>
</td>
<td align="center"><br>
<a href="/windows/security/index">
<img src="images/threatprotection.png" alt="Windows 10 security" title="W10 security" />
<br/>Security </a>
</tr>
</table>
>[!TIP]
> Looking for information about older versions of Windows? Check out our other [Windows libraries](/previous-versions/windows/) on docs.microsoft.com. You can also search this site to find specific information, like this [Windows 8.1 content](https://docs.microsoft.com/search/index?search=Windows+8.1&dataSource=previousVersions).
## Get to know Windows as a Service (WaaS)
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
- [Read more about Windows as a Service](/windows/deployment/update/waas-overview)

115
windows/hub/index.yml Normal file
View File

@ -0,0 +1,115 @@
### YamlMime:Landing
title: Windows 10 resources and documentation for IT Pros # < 60 chars
summary: Plan, deploy, secure, and manage devices running Windows 10. # < 160 chars
metadata:
title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 09/23/2020 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: What's new
linkLists:
- linkListType: overview
links:
- text: What's new in Windows 10, version 2004
url: /windows/whats-new/whats-new-windows-10-version-2004
- text: What's new in Windows 10, version 1909
url: /windows/whats-new/whats-new-windows-10-version-1909
- text: What's new in Windows 10, version 1903
url: /windows/whats-new/whats-new-windows-10-version-1903
- text: Windows 10 release information
url: https://docs.microsoft.com/windows/release-information/
# Card (optional)
- title: Configuration
linkLists:
- linkListType: how-to-guide
links:
- text: Configure Windows 10
url: /windows/configuration/index
- text: Accesasibility information for IT Pros
url: /windows/configuration/windows-10-accessibility-for-itpros
- text: Configure access to Microsoft Store
url: /windows/configuration/stop-employees-from-using-microsoft-store
- text: Set up a shared or guest PC
url: /windows/configuration/set-up-shared-or-guest-pc
# Card (optional)
- title: Deployment
linkLists:
- linkListType: deploy
links:
- text: Deploy and update Windows 10
url: /windows/deployment/index
- text: Windows 10 deployment scenarios
url: /windows/deployment/windows-10-deployment-scenarios
- text: Create a deployment plan
url: /windows/deployment/update/create-deployment-plan
- text: Prepare to deploy Windows 10
url: /windows/deployment/update/prepare-deploy-windows
# Card
- title: App management
linkLists:
- linkListType: how-to-guide
links:
- text: Windows 10 application management
url: /windows/application-management/index
- text: Understand the different apps included in Windows 10
url: /windows/application-management/apps-in-windows-10
- text: Get started with App-V for Windows 10
url: /windows/application-management/app-v/appv-getting-started
- text: Keep removed apps from returning during an update
url: /windows/application-management/remove-provisioned-apps-during-update
# Card
- title: Client management
linkLists:
- linkListType: how-to-guide
links:
- text: Windows 10 client management
url: /windows/client-management/index
- text: Administrative tools in Windows 10
url: /windows/client-management/administrative-tools-in-windows-10
- text: Create mandatory user profiles
url: /windows/client-management/mandatory-user-profile
- text: New policies for Windows 10
url: /windows/client-management/new-policies-for-windows-10
# Card (optional)
- title: Security and Privacy
linkLists:
- linkListType: how-to-guide
links:
- text: Windows 10 Enterprise Security
url: /windows/security/index
- text: Windows Privacy
url: /windows/privacy/index
- text: Identity and access management
url: /windows/security/identity-protection/index
- text: Threat protection
url: /windows/security/threat-protection/index
- text: Information protection
url: /windows/security/information-protection/index
- text: Required diagnostic data
url: /windows/privacy/required-windows-diagnostic-data-events-and-fields-2004
- text: Optional diagnostic data
url: /windows/privacy/windows-diagnostic-data
- text: Changes to Windows diagnostic data collection
url: /windows/privacy/changes-to-windows-diagnostic-data-collection

77
windows/hub/windows-10.yml
View File

@ -1,77 +0,0 @@
### YamlMime:YamlDocument
documentType: LandingData
title: Windows 10
metadata:
title: Windows 10
description: Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization.
keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
ms.localizationpriority: medium
author: lizap
ms.author: elizapo
manager: dougkim
ms.topic: article
ms.devlang: na
sections:
- items:
- type: markdown
text: "
Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization.
"
- title: Explore
- items:
- type: markdown
text: "
Get started with Windows 10. Evaluate free for 90 days and set up virtual labs to test a proof of concept.<br>
<table><tr><td><img src='images/explore1.png' width='192' height='192'><br>**Download a free 90-day evaluation**<br>Try the latest features. Test your apps, hardware, and deployment strategies.<br><a href='https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise'>Start evaluation</a></td><td><img src='images/explore2.png' width='192' height='192'><br>**Get started with virtual labs**<br>Try setup, deployment, and management scenarios in a virtual environment, with no additional software or setup required.<br><a href='https://www.microsoft.com/en-us/itpro/windows-10/virtual-labs'>See Windows 10 labs</a></td><td><img src='images/explore3.png' width='192' height='192'><br>**Conduct a proof of concept**<br>Download a lab environment with MDT, Configuration Manager, Windows 10, and more.<br><a href='https://go.microsoft.com/fwlink/p/?linkid=861441'>Get deployment kit</a></td></tr>
</table>
"
- title: What's new
- items:
- type: markdown
text: "
Learn about the latest releases and servicing options.<br>
<table><tr><td><img src='images/land-new.png'></td><td><a href='https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809'>What's new in Windows 10, version 1809</a><br><a href='https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803'>What's new in Windows 10, version 1803</a><br><a href='https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709'>What's new in Windows 10, version 1709</a><br><a href='https://docs.microsoft.com/windows/windows-10/release-information'>Windows 10 release information</a><br><a href='https://support.microsoft.com/help/12387/windows-10-update-history'>Windows 10 update history</a><br><a href='https://go.microsoft.com/fwlink/p/?linkid=861443'>Windows 10 roadmap</a></td></tr>
</table>
"
- title: Frequently asked questions
- items:
- type: markdown
text: "
Get answers to common questions, or get help with a specific problem.<br>
<table><tr><td><a href='https://docs.microsoft.com/windows/deployment/planning/windows-10-enterprise-faq-itpro'>Windows 10 FAQ for IT Pros</a><br><a href='https://go.microsoft.com/fwlink/p/?linkid=861444'>Windows 10 forums</a><br><a href='https://techcommunity.microsoft.com/t5/Windows-10/bd-p/Windows10space'>Windows 10 TechCommunity</a><br><a href='https://go.microsoft.com/fwlink/p/?linkid=861445'>Which edition is right for your organization?</a><br><a href='https://docs.microsoft.com/windows/deployment/planning/windows-10-infrastructure-requirements'>Infrastructure requirements</a><br><a href='https://www.microsoft.com/itpro/windows-10/windows-as-a-service'>What's Windows as a service?</a><br><a href='https://docs.microsoft.com/windows/client-management/windows-10-mobile-and-mdm'>Windows 10 Mobile deployment and management guide</a></td><td><img src='images/faq.png'></td></tr>
</table>
"
- title: Plan
- items:
- type: markdown
text: "
Prepare to deploy Windows 10 in your organization. Explore deployment methods, compatibility tools, and servicing options. <br>
<table><tr><td><img src='images/plan1.png' width='192' height='192'><br>**Application compatibility**<br>Get best practices and tools to help you address compatibility issues prior to deployment.<br><a href='https://www.readyforwindows.com/'>Find apps that are ready for Windows 10.</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness'>Identify and prioritize apps with Upgrade Readiness</a><br><a href='https://technet.microsoft.com/microsoft-edge/mt612809.aspx'>Test, validate, and implement with the Web Application Compatibility Lab Kit</a></td><td><img src='images/plan2.png' width='192' height='192'><br>**Upgrade options**<br>Learn about the options available for upgrading Windows 7, Windows 8, or Windows 8.1 PCs and devices to Windows 10.<br><a href='https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades'>Manage Windows upgrades with Upgrade Readiness</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths'>Windows 10 upgrade paths</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades'>Windows 10 edition upgrades</a></td><td><img src='images/plan3.png' width='192' height='192'><br>**Windows as a service**<br>Windows as a service provides ongoing new capabilities and updates while maintaining a high level of hardware and software compatibility.<br><a href='https://docs.microsoft.com/windows/deployment/update/windows-as-a-service'>Explore</a></td></tr>
</table>
"
- title: Deploy
- items:
- type: markdown
text: "
Download recommended tools and get step-by-step guidance for in-place upgrades, dynamic provisioning, or traditional deployments.<br>
<table><tr><td><img src='images/deploy1.png' width='192' height='192'><br>**In-place upgrade**<br>The simplest way to upgrade PCs that are currently running WIndows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade.<br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager'>Upgrade to Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit'>Upgrade to Windows 10 with MDT</a></td><td><img src='images/deploy2.png' width='192' height='192'><br>**Traditional deployment**<br>Some organizations may still need to opt for an image-based deployment of Windows 10.<br><a href='https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems'>Deploy Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit'>Deploy Windows 10 with MDT</a></td></tr><tr><td><img src='images/deploy3.png' width='192' height='192'><br>**Dynamic provisioning**<br>With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image.<br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages'>Provisioning packages for Windows 10</a><br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package'>Build and apply a provisioning package</a><br><a href='https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd'>Customize Windows 10 start and the taskbar</a></td><td><img src='images/deploy4.png' width='192' height='192'><br>**Other deployment scenarios**<br>Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps.<br><a href='https://docs.microsoft.com/education/windows/'>Windows deployment for education environments</a><br><a href='https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc'>Set up a shared or guest PC with Windows 10</a><br><a href='https://docs.microsoft.com/windows/application-management/sideload-apps-in-windows-10'>Sideload apps in Windows 10</a></td></tr>
</table>
"
- title: Management and security
- items:
- type: markdown
text: "
Learn how to manage Windows 10 clients and apps, secure company data, and manage risk.<br>
<table><tr><td><img src='images/manage1.png' width='192' height='192'><br>**Manage Windows 10 updates**<br>Get best practices and tools to help you manage clients and apps.<br><a href='https://docs.microsoft.com/windows/client-management/'>Manage clients in Windows 10</a><br><a href='https://docs.microsoft.com/windows/application-management/'>Manage apps and features in Windows 10</a></td><td><img src='images/manage2.png' width='192' height='192'><br>**Security**<br>Intelligent security, powered by the cloud. Out-of-the-box protection, advanced security features, and intelligent management to respond to advanced threats.<br><a href='https://docs.microsoft.com/windows/security/index'>Windows 10 enterprise security</a><br><a href='https://docs.microsoft.com/windows/security/threat-protection'>Threat protection</a><br><a href='https://docs.microsoft.com/windows/access-protection'>Identity protection</a><br><a href='https://docs.microsoft.com/windows/security/information-protection'>Information protection</a></td></tr>
</table>
"
- title: Stay informed
- items:
- type: markdown
text: "
Stay connected with Windows 10 experts, your colleagues, business trends, and IT pro events.<br>
<table><tr><td><img src='images/insider.png' width='192' height='192'><br>**Sign up for the Windows IT Pro Insider**<br>Find out about new resources and get expert tips and tricks on deployment, management, security, and more.<br><a href='https://aka.ms/windows-it-pro-insider'>Learn more</a></td><td><img src='images/twitter.png' width='192' height='192'><br>**Follow us on Twitter**<br>Keep up with the latest desktop and device trends, Windows news, and events for IT pros.<br><a href='https://twitter.com/MSWindowsITPro'>Visit Twitter</a></td><td><img src='images/wip4biz.png' width='192' height='192'><br>**Join the Windows Insider Program for Business**<br>Get early access to new builds and provide feedback on the latest features and functionalities.<br><a href='https://insider.windows.com/ForBusiness'>Get started</a></td></tr>
</table>
"

2
windows/security/identity-protection/access-control/special-identities.md
View File

@ -186,7 +186,7 @@ This group includes all domain controllers in an Active Directory forest. Domain
All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed).
On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
Membership is controlled by the operating system.

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -458,7 +458,7 @@ contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,conto
Value format without proxy:
```console
contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com,
```
### Protected domains

4
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -59,7 +59,7 @@ To help address this security insufficiency, companies developed data loss preve
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesnt see and cant understand.
Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesnt see and cant understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
@ -90,7 +90,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.

8
windows/security/threat-protection/TOC.md
View File

@ -256,9 +256,17 @@
#### [Resources](microsoft-defender-atp/mac-resources.md)
### [Microsoft Defender Advanced Threat Protection for iOS]()
#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
#### [Deploy]()
##### [App-based deployment](microsoft-defender-atp/ios-install.md)
#### [Configure]()
##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
### [Microsoft Defender Advanced Threat Protection for Linux]()
#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)

35
windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
View File

@ -1,7 +1,7 @@
---
title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
@ -25,7 +25,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
> [!NOTE]
> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
@ -54,7 +54,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
> [!NOTE]
> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>` <br/>For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>` <br/>For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
@ -78,7 +78,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation <path>
Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path:
When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
```Dos
<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
@ -86,13 +86,30 @@ When the SupportLogLocation parameter is used, a folder structure as below will
| field | Description |
|:----|:----|
| path | The path as specified on the commandline or retrieved from configuration
| MMDD | Month Day when the diagnostic data was collected (eg 0530)
| hostname | the hostname of the device on which the diagnostic data was collected.
| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422)
| path | The path as specified on the command line or retrieved from configuration
| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
| hostname | The hostname of the device on which the diagnostic data was collected
| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
> [!NOTE]
> When using a File share please make sure that account used to collect the diagnostic package has write access to the share.
> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
## Specify location where diagnostic data is created
You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO).
1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
1. Select **Define the directory path to copy support log files**.
![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)
![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)
3. Inside the policy editor, select **Enabled**.
4. Specify the directory path where you want to copy the support log files in the **Options** field.
![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png)
5. Select **OK** or **Apply**.
## See also

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 314 KiB

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 140 KiB

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

13
windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 07/22/2020
ms.date: 09/30/2020
ms.reviewer:
manager: dansimp
---
@ -28,14 +28,13 @@ manager: dansimp
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
To configure the Group Policy settings described in this topic:
## To configure the Group Policy settings described in this article
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -201,7 +200,7 @@ Scan | Specify the time for a daily quick scan | Specify the number of minutes a
Use the following cmdlets:
```PowerShell
Set-MpPreference -ScanScheduleQuickTime
Set-MpPreference -ScanScheduleQuickScanTime
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
@ -229,9 +228,7 @@ Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
## Related topics
## See also
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)

7
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -14,7 +14,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.reviewer: ramarom, evaldm, isco, mabraitm
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
ms.date: 09/24/2020
---
# View details and results of automated investigations
@ -22,7 +23,7 @@ ms.reviewer: ramarom, evaldm, isco, mabraitm
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically.
During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically.
If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
@ -164,5 +165,5 @@ When you click on the pending actions link, you'll be taken to the Action center
- [View and approve remediation actions](manage-auto-investigation.md)
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)

66
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -1,22 +1,23 @@
---
title: Use automated investigations to investigate and remediate threats
description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export
description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.date: 09/03/2020
ms.date: 09/30/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.reviewer: ramarom, evaldm, isco, mabraitm
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
ms.custom: AIR
---
@ -27,16 +28,16 @@ ms.custom: AIR
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities.
Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively.
Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
## How the automated investigation starts
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@ -51,15 +52,15 @@ During and after an automated investigation, you can view details about the inve
|Tab |Description |
|--|--|
|**Alerts**| Shows the alert that started the investigation.|
|**Devices** |Shows where the alert was seen.|
|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
|**Alerts**| The alert(s) that started the investigation.|
|**Devices** |The device(s) where the threat was seen.|
|**Evidence** |The entities that were found to be malicious during an investigation.|
|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.|
|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
> [!IMPORTANT]
> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
## How an automated investigation expands its scope
@ -69,48 +70,33 @@ If an incriminated entity is seen in another device, the automated investigation
## How threats are remediated
Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
> [!NOTE]
> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for Microsoft Defender ATP tenants that were created on or after August 16, 2020, and that have no device groups defined. <br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br/><br/> Files or executables in all other folders are automatically remediated, if needed.|
|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for Microsoft Defender ATP tenants that were created before August 16, 2020, and that have no device groups defined. <br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
|**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
> [!IMPORTANT]
> Regarding automation levels and default settings:
> - If your tenant already has device groups defined, the automation level settings are not changed for those device groups.
> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**.
> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
> - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
### A few points to keep in mind
- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed.
- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
## Next steps
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
## See also
- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)

14
windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
View File

@ -1,10 +1,11 @@
---
title: Configure automated investigation and remediation capabilities
description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint.
keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@ -14,20 +15,21 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.reviewer: ramarom, evaldm, isco, mabraitm
ms.topic: article
ms.date: 09/24/2020
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
---
# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection
# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).

16
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
View File

@ -41,7 +41,7 @@ Not all properties are filterable.
Get 10 latest Alerts with related Evidence
```
```http
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
```
@ -147,9 +147,9 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
### Example 2
Get all the alerts last updated after 2019-10-20 00:00:00
Get all the alerts last updated after 2019-11-22 00:00:00
```
```http
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
```
@ -205,7 +205,7 @@ HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTi
Get all the devices with 'High' 'RiskScore'
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
```
@ -244,7 +244,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
Get top 100 devices with 'HealthStatus' not equals to 'Active'
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
```
@ -283,7 +283,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStat
Get all the devices that last seen after 2018-10-20
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
```
@ -322,7 +322,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
```
@ -354,7 +354,7 @@ json{
Get the count of open alerts for a specific device:
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
```

BIN
windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 612 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 326 KiB

47
windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Configure Microsoft Defender ATP for iOS features
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for iOS features
keywords: microsoft, defender, atp, ios, configure, features, ios
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configure Microsoft Defender ATP for iOS features
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> [!IMPORTANT]
> **PUBLIC PREVIEW EDITION**
>
> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
## Configure custom indicators
Microsoft Defender ATP for iOS enables admins to configure custom indicators on
iOS devices as well. Refer to [Manage
indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
on how to configure custom indicators
## Web Protection
By default, Microsoft Defender ATP for iOS includes and enables the web
protection feature. [Web
protection](web-protection-overview.md) helps
to secure devices against web threats and protect users from phishing attacks.
>[!NOTE]
>Microsoft Defender ATP for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.

80
windows/security/threat-protection/microsoft-defender-atp/ios-install.md Normal file
View File

@ -0,0 +1,80 @@
---
title: App-based deployment for Microsoft Defender ATP for iOS
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for iOS using an app
keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# App-based deployment for Microsoft Defender ATP for iOS
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> [!IMPORTANT]
> **PUBLIC PREVIEW EDITION**
>
> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
Microsoft Defender ATP for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
Deployment devices need to be enrolled on Intune Company portal. Refer to
[Enroll your
device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to
learn more about Intune device enrollment
## Before you begin
- Ensure you have access to [Microsoft Endpoint manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Ensure iOS enrollment is done for your users. Users need to have Microsoft Defender ATP
license assigned in order to use Microsoft Defender ATP for iOS. Refer [Assign licenses to
users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
for instructions on how to assign licenses.
## Deployment steps
To install Microsoft Defender ATP for iOS, end-users can visit
<https://aka.ms/defenderios> on their iOS devices. This link will open the
TestFlight application on their device or prompt them to install TestFlight. On
the TestFlight app, follow the onscreen instructions to install Microsoft
Defender ATP.
![Image of deployment steps](images/testflight-get.png)
## Complete onboarding and check status
1. Once Microsoft Defender ATP for iOS has been installed on the device, you
will see the app icon.
![A screen shot of a smart phone Description automatically generated](images/41627a709700c324849bf7e13510c516.png)
2. Tap the Microsoft Defender ATP app icon and follow the on-screen
instructions to complete the onboarding steps. The details include end-user
acceptance of iOS permissions required by Microsoft Defender ATP for iOS.
3. Upon successful onboarding, the device will start showing up on the Devices
list in Microsoft Defender Security Center.
> [!div class="mx-imgBorder"]
> ![A screenshot of a cell phone Description automatically generated](images/e07f270419f7b1e5ee6744f8b38ddeaf.png)
## Next Steps
[Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)

2
windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
View File

@ -31,7 +31,7 @@ ms.topic: conceptual
## Summary
In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Users in your organization are not able to change preferences that are set through the configuration profile.
In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions.
This article describes the structure of the configuration profile, includes a recommended profile that you can use to get started, and provides instructions on how to deploy the profile.

6
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -41,6 +41,12 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
## 101.09.49
- User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user
- Improved CPU utilization during on-demand scans
- Performance improvements & bug fixes
## 101.07.23
- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID

7
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
View File

@ -32,9 +32,9 @@ ms.topic: conceptual
The public preview of Microsoft Defender ATP for iOS will offer protection
against phishing and unsafe network connections from websites, emails and apps.
against phishing and unsafe network connections from websites, emails, and apps.
All alerts will be available through a single pane of glass in the Microsoft
Defender Security Center, giving security teams a centralized view of threats on
Defender Security Center. The portal gives security teams a centralized view of threats on
iOS devices along with other platforms.
## Pre-requisites
@ -72,4 +72,5 @@ iOS devices along with other platforms.
## Next steps
Microsoft Defender for Endpoint capabilities for iOS will be released into public preview in the coming weeks. At that time, we will publish additional deployment and configuration information. Please check back here in a few weeks.
- [Deploy Microsoft Defender ATP for iOS](ios-install.md)
- [Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)

5
windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
View File

@ -107,13 +107,12 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for
### Other supported operating systems
- Android
- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
- Linux
- macOS
> [!NOTE]
> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.
>
> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux.
### Network and data storage and configuration requirements

1
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -51,6 +51,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release:
- [Microsoft Defender ATP for iOS](microsoft-defender-atp-ios.md) <br> Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS.
- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.

3
windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
View File

@ -84,6 +84,9 @@ Tip: You can deploy a policy without selecting any category on a device group. T
>[!NOTE]
>If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
>[!IMPORTANT]
>Blocking the "Uncategorized" category may lead to unexpected and undesired results.
### Allow specific websites
It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question.

10
windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
View File

@ -25,7 +25,7 @@ ms.date: 10/30/2019
Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices.
With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”.
With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization".
Refer to the below video for an overview and brief demo.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
@ -57,7 +57,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
```powershell
Set-RuleOption -FilePath "<path>\SupplementalPolicy.xml>" -Option 3 Delete
```
This deletes the audit mode qualifier.
This deletes the 'audit mode' qualifier.
- Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy:
```powershell
@ -88,9 +88,9 @@ Refer to [Intune Standalone - Win32 app management](https://docs.microsoft.com/i
## Optional: Process for Deploying Apps using Catalogs
![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png)
Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you dont want to allow as well.
Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well.
Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you dont want to trust all apps that may share the same signing certificate.
Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. Use the Add-SignerRule PowerShell cmdlet as shown above to authorize the catalog signing certificate in the supplemental policy. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs.
@ -184,8 +184,6 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
In order to revert users to an unmodified S mode policy, an IT Pro can remove a user or users from the targeted Intune group which received the policy, which will trigger a removal of both the policy and the authorization token from the device.
IT Pros also have the choice of deleting a supplemental policy through Intune.
> [!Note]
> This feature currently has a known bug which occurs when an S mode supplemental policy is deleted through Intune, in which the policy is not immediately removed from the devices to which it was deployed. A fix is expected in the 2D update in late February 2020. In the meantime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
```xml
<?xml version="1.0" encoding="utf-8"?>

58
windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
View File

@ -1,7 +1,7 @@
---
title: WDAC and AppLocker Overview
description: Compare Windows application control technologies.
keywords: security, malware
keywords: security, malware, allow-list, block-list
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: isbrahm
ms.author: deniseb
manager: dansimp
ms.date: 04/15/2020
ms.date: 09/30/2020
ms.custom: asr
---
@ -29,58 +29,48 @@ Windows 10 includes two technologies that can be used for application control de
## Windows Defender Application Control
WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
> [!NOTE]
> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies.
WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
- The reputation of the app as determined by Microsoft's Intelligent Security Graph;
- The identity of the process that initiated the installation of the app and its binaries (managed installer);
- The path from which the app or file is launched (beginning with Windows 10 version 1903);
- The process that launched the app or binary.
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md)
- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md))
- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary
Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'.
### WDAC System Requirements
WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
WDAC policies can only be created on devices running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
WDAC policies can be applied to devices running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
## AppLocker
AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers.
AppLocker was introduced with Windows 7 and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature.
AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
- The path from which the app or file is launched (beginning with Windows 10 version 1903).
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The path from which the app or file is launched
### AppLocker System Requirements
AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
AppLocker policies can be deployed using Group Policy or MDM.
## Choose when to use WDAC or AppLocker
Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies.
Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. AppLocker is a legacy technology which will continue to receive security fixes but will not undergo new feature improvements.
### WDAC is best when:
- You are adopting application control primarily for security reasons.
- Your application control policy can be applied to all users on the managed computers.
- All of the devices you wish to manage are running Windows 10.
### AppLocker is best when:
In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
- You need to apply different policies for different users or groups on a shared computer.
- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
- You do not wish to enforce application control on application files such as DLLs or drivers.
- You need to apply different policies for different users or groups on shared computers.
## When to use both WDAC and AppLocker together
AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where it is important to prevent some users from running specific apps.
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.

21
windows/security/threat-protection/windows-defender-security-center/oldTOC.md
View File

@ -1,21 +0,0 @@
---
ms.author: dansimp
author: dansimp
ms.prod: w10
title: The Microsoft Defender Security Center app
---
# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
## [Customize the Microsoft Defender Security Center app for your organization](wdsc-customize-contact-information.md)
## [Hide Microsoft Defender Security Center app notifications](wdsc-hide-notifications.md)
## [Manage Microsoft Defender Security Center in Windows 10 in S mode](wdsc-windows-10-in-s-mode.md)
## [Virus and threat protection](wdsc-virus-threat-protection.md)
## [Account protection](wdsc-account-protection.md)
## [Firewall and network protection](wdsc-firewall-network-protection.md)
## [App and browser control](wdsc-app-browser-control.md)
## [Device security](wdsc-device-security.md)
## [Device performance and health](wdsc-device-performance-health.md)
## [Family options](wdsc-family-options.md)

2
windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
View File

@ -86,7 +86,7 @@ The following table identifies and defines terms used throughout this guide.
| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).|
| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see &quot;Isolated domain&quot; in this table.|
| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.|
| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.<br/>By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.<br/>By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).<br/>In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|