From 443c53cbfd1a94240e6568ae4dfe09e5be9299b6 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 16 Dec 2020 23:21:11 +0530 Subject: [PATCH 01/41] updated-4620497 updated --- windows/security/threat-protection/index.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 88ac6667fb..f9594c5218 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -19,6 +19,9 @@ ms.topic: conceptual # Threat Protection [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + > [!TIP] > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). From 11d5cadf01f2d447f0f36f18552fe5cb5207b532 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 01:20:58 +0100 Subject: [PATCH 02/41] Update filesystem-csp.md Based on the implied confusion in issue ticket #8387 (**FileSystem CSP examples**), I noticed that the 2 **Note** lines in this document do not adhere to the MS standard of using colored Note blobs. This PR aims to rectify that issue, hoping that this may clarify the following: > FileSystem CSP is only supported in Windows 10 Mobile. Thanks to @joinimran for mentioning this fact and making me aware of this issue. Changes proposed: - update/upgrade 2 **Note** lines to use standard Microsoft Note blob formatting - encapsulate filename `winnt.h` in MD back ticks to display as monospaced font Whitespace changes: - Remove 10 empty lines at the end of the document - reduce double blank lines to single (3 occurrences) - remove all redundant end-of-line blank spaces - bullet point lists: reduce triple consecutive blank space to single Closes #8387 --- .../client-management/mdm/filesystem-csp.md | 64 ++++++++----------- 1 file changed, 25 insertions(+), 39 deletions(-) diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 9bad3fe712..39061b8c6d 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -14,41 +14,38 @@ ms.date: 06/26/2017 # FileSystem CSP - The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user. -> **Note**  FileSystem CSP is only supported in Windows 10 Mobile. -> -> -> -> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. +> [!NOTE] +> FileSystem CSP is only supported in Windows 10 Mobile. - +> [!NOTE] +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. ![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png) -**FileSystem** +**FileSystem** Required. Defines the root of the file system management object. It functions as the root directory for file system queries. Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path. The following properties are supported for the root node: -- `Name`: The root node name. The Get command is the only supported command. +- `Name`: The root node name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. -***file directory*** +***file directory*** Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements. The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code. @@ -61,19 +58,19 @@ The Delete command is used to delete all files and subfolders under this *file d The following properties are supported for file directories: -- `Name`: The file directory name. The Get command is the only supported command. +- `Name`: The file directory name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. +- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file `winnt.h`. This supports the Get command and the Replace command. -***file name*** +***file name*** Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead. The Delete command deletes the file. @@ -86,29 +83,18 @@ The Get command is not supported on a *file name* element, only on the propertie The following properties are supported for files: -- `Name`: The file name. The Get command is the only supported command. +- `Name`: The file name. The Get command is the only supported command. -- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. +- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. -- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. +- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. +- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. -- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - From cd12eb005a60ba0d937d257dcb450b3eae560049 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 7 Jan 2021 20:54:26 +0100 Subject: [PATCH 03/41] Missing verb "is" in line 36 Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/filesystem-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 39061b8c6d..9a50b99317 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -60,7 +60,7 @@ The following properties are supported for file directories: - `Name`: The file directory name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is an empty string for directories that are not the root node. The Get command is the only supported command. - `Format`: The format, which is `node`. The Get command is the only supported command. From 655e9bd4d318470d7eba59d6c605c8d0449e5574 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 7 Jan 2021 20:55:07 +0100 Subject: [PATCH 04/41] Missing capitalization for WBXML in line 90 Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/filesystem-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 9a50b99317..12547591ba 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -87,7 +87,7 @@ The following properties are supported for files: - `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. -- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. +- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over WBXML. The Get command is the only supported command. - `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. From b6e9b39ce408c7638c5c91cd60a4e7be45102886 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 12 Jan 2021 00:26:51 +0100 Subject: [PATCH 05/41] Update distribute-offline-apps.md From issue ticket #8942 (**Broken link - Distribute offline apps**): > Hi all. > > In Distribute offline apps (https://docs.microsoft.com/en-us/microsoft-store/distribute-offline-apps) the link Manage apps from Microsoft Store for Business with Microsoft Intune that points to [docs.microsoft.com/en-us/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune](https://docs.microsoft.com/en-us/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune) rports error 404. Probably the destination has changed URL. I believe that it should point to the doc How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune - [docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business](https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business). > > Can you double check this and fix it please? Thanks to @joaonltome for noticing and reporting this broken link and also suggesting a likely solution. Changes proposed: - Replace the broken link /microsoft-store/distribute-offline-apps with the working page link /mem/intune/apps/windows-store-for-business . - Change the paragraph title "To download an offline-licensed app" from **bold** formatting to a H3 heading, as well as including the HTML anchor in that heading. (This heading level might possibly need to be a H4 heading size to remain the same size as its current **bold**-only format.) Whitespace changes: - Remove 13 redundant blank lines at the end of the document page. - By removing these 13 blank lines, we also remove that redundant empty command copy box (created by indents). - Reduce 12 occurrences of 3 blank spaces after bullet point list indicators to 1 space. - Reduce 6 occurrences of double blank space after numbered list indicators to 1 space. - Add missing colon in **Applies to:** . Closes #8942 --- store-for-business/distribute-offline-apps.md | 56 +++++++------------ 1 file changed, 21 insertions(+), 35 deletions(-) diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 33b58da4ab..e3dbdb3592 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -18,10 +18,10 @@ ms.date: 10/17/2017 # Distribute offline apps -**Applies to** +**Applies to:** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. @@ -29,23 +29,23 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps: -- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. +- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. -- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD). +- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD). -- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store. +- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store. ## Distribution options for offline-licensed apps You can't distribute offline-licensed apps directly from Microsoft Store. Once you download the items for the offline-licensed app, you have options for distributing the apps: -- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows). +- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows). -- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages). +- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages). -- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: +- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: - [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
+ - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation. @@ -53,23 +53,22 @@ For third-party MDM providers or management servers, check your product document There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app. -- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. +- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. -- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. +- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. -- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. +- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. -- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. +- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. - -**To download an offline-licensed app** +### To download an offline-licensed app -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**. -3. Click **Settings**. -4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. -5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. -6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**. +3. Click **Settings**. +4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. +5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. +6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional. - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required. @@ -78,16 +77,3 @@ There are several items to download or create for offline-licensed apps. The app > [!NOTE] > You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible. - - - -   - -  - -  - - - - - From 799286b74cfbace1cfb86634890c20b8268d0def Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 12 Jan 2021 01:01:35 +0100 Subject: [PATCH 06/41] Revert HTML anchor link heading format - change "To download an offline-licensed app" heading format back to **bold** - remove the line separation (NewLine/Line break) to enable the anchor link again --- store-for-business/distribute-offline-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index e3dbdb3592..c22a4358d7 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -61,7 +61,7 @@ There are several items to download or create for offline-licensed apps. The app - **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. -### To download an offline-licensed app +**To download an offline-licensed app** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. From 92c77fa38c443d7c33dd647ba2700ebbc85e1921 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 12 Jan 2021 19:33:47 +0100 Subject: [PATCH 07/41] correct casing for "the internet" to 'the Internet' Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- store-for-business/distribute-offline-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index c22a4358d7..8a5ead4fe6 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -29,7 +29,7 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps: -- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. +- **You don't have access to Microsoft Store services** - If your employees don't have access to the Internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. - **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD). From f58a1d313db4131878d90d90a046a0bf8977b0d2 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 21 Jan 2021 19:07:44 +0530 Subject: [PATCH 08/41] changed minutes to seconds as per user report #8995 , so i changed minutes to seconds i took help from below site **https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-asprov/7dcdd2c3-43ca-4425-b8d4-443b1d2c0638** --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index f68a71f820..b106637736 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -677,7 +677,7 @@ The following list shows the supported values: -Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. +Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. * On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. * On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy. From f22675ab6af56193c9f671f3963ecee865bf57c4 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Fri, 22 Jan 2021 17:29:45 -0800 Subject: [PATCH 09/41] Restructuring Windows Hello for Business Docks --- windows/security/identity-protection/TOC.md | 2 +- .../feature-multifactor-unlock.md | 4 +- .../hello-deployment-guide.md | 43 ++++--- .../hello-for-business/hello-features.md | 57 --------- .../hello-how-it-works-tech-deep-dive.md | 49 -------- .../hello-for-business/hello-how-it-works.md | 31 +++-- .../hello-identity-verification.md | 33 ++--- .../hello-planning-guide.md | 28 +++-- .../hello-for-business/index.yml | 113 ++++++++++++++++++ .../hello-for-business/toc.md | 4 +- .../hello-for-business/toc.yml | 18 +++ windows/security/identity-protection/index.md | 2 +- 12 files changed, 213 insertions(+), 171 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/hello-features.md delete mode 100644 windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md create mode 100644 windows/security/identity-protection/hello-for-business/index.yml create mode 100644 windows/security/identity-protection/hello-for-business/toc.yml diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 7f7f58c2b8..16e55efb95 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -18,7 +18,7 @@ #### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md) #### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md) -## [Windows Hello for Business](hello-for-business/hello-identity-verification.md) +## [Windows Hello for Business](hello-for-business/index.yml) ## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 215c86beea..da9b1c7c1e 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,5 +1,5 @@ --- -title: Multifactor Unlock +title: Multi-factor Unlock description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor ms.prod: w10 @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 03/20/2018 ms.reviewer: --- -# Multifactor Unlock +# Multi-factor Unlock **Applies to:** - Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index f3f064b1d1..95b07dfe0d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Hello for Business Deployment Guide +title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 @@ -13,28 +13,35 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/29/2018 +ms.date: 01/21/2021 ms.reviewer: --- -# Windows Hello for Business Deployment Guide +# Windows Hello for Business Deployment Overview **Applies to** -- Windows 10, version 1703 or later + +- Windows 10, version 1703 or later Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. -This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment. +This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization. + +Once you've chosen a deployment model, the deployment guide for the that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. + +> [!NOTE] +> Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model. ## Assumptions -This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: -* A well-connected, working network -* Internet access -* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning -* Proper name resolution, both internal and external names -* Active Directory and an adequate number of domain controllers per site to support authentication -* Active Directory Certificate Services 2012 or later -* One or more workstation computers running Windows 10, version 1703 +This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: + +- A well-connected, working network +- Internet access +- Multi-factor Authentication Server to support MFA during Windows Hello for Business provisioning +- Proper name resolution, both internal and external names +- Active Directory and an adequate number of domain controllers per site to support authentication +- Active Directory Certificate Services 2012 or later +- One or more workstation computers running Windows 10, version 1703 If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. @@ -46,15 +53,17 @@ Windows Hello for Business has three deployment models: Cloud, hybrid, and on-pr Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. -The trust model determines how you want users to authenticate to the on-premises Active Directory: -* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. -* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. -* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. +The trust model determines how you want users to authenticate to the on-premises Active Directory: + +- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. +- The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. +- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. > [!NOTE] > RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). Following are the various deployment guides and models included in this topic: + - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) - [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md deleted file mode 100644 index d35d4dea64..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Windows Hello for Business Features -description: Consider additional features you can use after your organization deploys Windows Hello for Business. -ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -ms.reviewer: -keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: mapalko -ms.author: mapalko -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 11/27/2019 ---- -# Windows Hello for Business Features - -**Applies to:** - -- Windows 10 - -Consider these additional features you can use after your organization deploys Windows Hello for Business. - -## Conditional access - -Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md). - -## Dynamic lock - -Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md). - -## PIN reset - -Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md). - -## Dual Enrollment - -This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md). - -## Remote Desktop - -Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md). - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md deleted file mode 100644 index 0e03beb9e3..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: How Windows Hello for Business works - Technical Deep Dive -description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: mapalko -ms.author: mapalko -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -ms.reviewer: ---- -# Technical Deep Dive - -**Applies to:** -- Windows 10 - -Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories: -- [Registration](#registration) -- [Provisioning](#provisioning) -- [Authentication](#authentication) - -## Registration - -Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). - -[How Device Registration Works](hello-how-it-works-device-registration.md) - - -## Provisioning - -Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider.
-For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.
-Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page. - -[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md) - -## Authentication - -Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. - -[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 528c1b6fe8..60d7c90219 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -19,7 +19,7 @@ ms.reviewer: **Applies to** -- Windows 10 +- Windows 10 Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. @@ -28,20 +28,37 @@ Watch this quick video where Pieter Wigleven gives a simple explanation of how W ## Technical Deep Dive -Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business. +Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business. -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work. +### Device Registration + +Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). + +For more information read [how device registration works](hello-how-it-works-device-registration.md). + +### Provisioning + +Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential. + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works. > [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] + +For more information read [how provisioning works](hello-how-it-works-provisioning.md). + +### Authentication + +Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. + > [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] -- [Technology and Terminology](hello-how-it-works-technology.md) -- [Device Registration](hello-how-it-works-device-registration.md) -- [Provisioning](hello-how-it-works-provisioning.md) -- [Authentication](hello-how-it-works-authentication.md) +For more information read [how authentication works](hello-how-it-works-authentication.md). ## Related topics +- [Technology and Terminology](hello-how-it-works-technology.md) - [Windows Hello for Business](hello-identity-verification.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 4d3512719a..d53a57bff1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -1,6 +1,6 @@ --- -title: Windows Hello for Business (Windows 10) -description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. +title: Windows Hello for Business Deployment Prerequisite Overview +description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E ms.reviewer: keywords: identity, PIN, biometric, Hello, passport @@ -15,29 +15,14 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 05/05/2018 +ms.date: 1/22/2021 --- -# Windows Hello for Business +# Windows Hello for Business Deployment Prerequisite Overview -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
-Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account. +This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. -Windows Hello addresses the following problems with passwords: - -- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. -- Server breaches can expose symmetric network credentials (passwords). -- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). -- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). - -> | | | | -> | :---: | :---: | :---: | -> | [![Overview Icon](images/hello_filter.png)](hello-overview.md)
[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
[Manage Windows Hello in your Organization](hello-manage-in-organization.md) | - - -## Prerequisites - -### Cloud Only Deployment +## Cloud Only Deployment * Windows 10, version 1511 or later * Microsoft Azure Account @@ -46,9 +31,9 @@ Windows Hello addresses the following problems with passwords: * Modern Management (Intune or supported third-party MDM), *optional* * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory -### Hybrid Deployments +## Hybrid Deployments -The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. +The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. | Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- | @@ -76,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a > Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 -### On-premises Deployments +## On-premises Deployments The table shows the minimum requirements for each deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 265aa7219d..22519b0b31 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -19,13 +19,15 @@ ms.reviewer: # Planning a Windows Hello for Business Deployment **Applies to** -- Windows 10 + +- Windows 10 Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. -If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). +> [!Note] +>If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). ## Using this guide @@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment. There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are: -* Deployment Options -* Client -* Management -* Active Directory -* Public Key Infrastructure -* Cloud + +- Deployment Options +- Client +- Management +- Active Directory +-Public Key Infrastructure +- Cloud ### Baseline Prerequisites @@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza There are three deployment models from which you can choose: cloud only, hybrid, and on-premises. ##### Cloud only + The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure. ##### Hybrid + The hybrid deployment model is for organizations that: -* Are federated with Azure Active Directory -* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect -* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources + +- Are federated with Azure Active Directory +- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect +- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml new file mode 100644 index 0000000000..98c1dc8fc0 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -0,0 +1,113 @@ +### YamlMime:Landing + +title: Windows Hello for Business documentation +summary: Learn how to manage and deploy Windows Hello for Business. + +metadata: + title: Windows Hello for Business documentation + description: Learn how to manage and deploy Windows Hello for Business. + ms.prod: w10 + ms.topic: landing-page + author: mapalko + manager: dansimp + ms.author: mapalko + ms.date: 01/22/2021 + ms.collection: M365-identity-device-management + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card + - title: About Windows Hello For Business + linkLists: + - linkListType: overview + links: + - text: Windows Hello for Business Overview + url: hello-overview.md + - linkListType: concept + links: + - text: Passwordless Strategy + url: passwordless-strategy.md + - text: Why a PIN is better than a password + url: hello-why-pin-is-better-than-password.md + - text: Windows Hello biometrics in the enterprise + url: hello-biometrics-in-enterprise.md + - text: How Windows Hello for Business works + url: hello-how-it-works.md + -linkListType: learn + links: + - text: Technical Deep Dive - Device Registration + url: hello-how-it-works-device-registration.md + - text: Technical Deep Dive - Provisioning + url: hello-how-it-works-provisioning.md + - text: Technical Deep Dive - Authentication + url: hello-how-it-works-authentication.md + - text: Technology and Terminology + url: hello-how-it-works-technology.md + - text: Frequently Asked Questions (FAQ) + url: hello-faq.yml + + # Card + - title: Configure and manage Windows Hello for Business + linkLists: + - linkListType: concept + links: + - text: Windows Hello for Business Deployment Overview + url: hello-deployment-guide.md + - text: Planning a Windows Hello for Business Deployment + url: hello-planning-guide.md + - text: Deployment Prerequisite Overview + url: hello-identity-verification.md + - linkListType: how-to-guide + links: + - text: Hybrid Azure AD Joined Key Trust Deployment + url: hello-hybrid-key-trust.md + - text: Hybrid Azure AD Joined Certificate Trust Deployment + url: hello-hybrid-cert-trust.md + - text: On-premises SSO for Azure AD Joined Devices + url: hello-hybrid-aadj-sso.md + - text: On-premises Key Trust Deployment + url: hello-deployment-key-trust.md + - text: On-premises Certificate Trust Deployment + url: hello-deployment-cert-trust.md + - linkListType: learn + links: + - text: Manage Windows Hello for Business in your organization + url: hello-manage-in-organization.md + - text: Windows Hello and password changes + url: hello-and-password-changes.md + - text: Prepare people to use Windows Hello + url: hello-prepare-people-to-use.md + + # Card + - title: Windows Hello for Business Features + linkLists: + - linkListType: how-to-guide + links: + - text: Conditional Access + url: hello-feature-conditional-access.md + - text: PIN Reset + url: hello-feature-pin-reset.m + - text: Dual Enrollment + url: hello-feature-dual-enrollment.md + - text: Dynamic Lock + url: hello-feature-dynamic-lock.md + - text: Multi-factor Unlock + url: feature-multifactor-unlock.md + - text: Remote Desktop + url: hello-feature-remote-desktop.md + + # Card + - title: Windows Hello for Business Troubleshooting + linkLists: + - linkListType: concept + links: + - text: Known Deployment Issues + url: hello-deployment-issues.md + - text: Errors During PIN Creation + url: hello-errors-during-pin-creation.md + + + \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md index b046ac97ee..77e08dfd22 100644 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ b/windows/security/identity-protection/hello-for-business/toc.md @@ -1,6 +1,6 @@ # [Windows Hello for Business](hello-identity-verification.md) -## [Password-less Strategy](passwordless-strategy.md) +## [Passwordless Strategy](passwordless-strategy.md) ## [Windows Hello for Business Overview](hello-overview.md) ## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) @@ -10,7 +10,7 @@ ### [Conditional Access](hello-feature-conditional-access.md) ### [Dual Enrollment](hello-feature-dual-enrollment.md) ### [Dynamic Lock](hello-feature-dynamic-lock.md) -### [Multifactor Unlock](feature-multifactor-unlock.md) +### [Multi-factor Unlock](feature-multifactor-unlock.md) ### [PIN Reset](hello-feature-pin-reset.md) ### [Remote Desktop](hello-feature-remote-desktop.md) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml new file mode 100644 index 0000000000..dd48cc97b4 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -0,0 +1,18 @@ +- name: Windows Hello for Business documentation + href: index.yml +- name: Overview + items: + - name: Windows Hello for Business Overview + href: hello-overview.md +- name: Concepts + items: + - name: + href: +- name: How-to Guides + items: + - name: + href: +- name: Reference + items: + - name: + href: \ No newline at end of file diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index f57abc302f..dd87cded73 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and | [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. | | [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. | -| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | +| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | | [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. | From 7a3c2bf326fd2ee9fb14527cac612e996625ad1e Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Fri, 22 Jan 2021 17:32:22 -0800 Subject: [PATCH 10/41] fixing new line --- .../security/identity-protection/hello-for-business/index.yml | 3 --- .../security/identity-protection/hello-for-business/toc.yml | 3 ++- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 98c1dc8fc0..c26699645a 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -108,6 +108,3 @@ landingContent: url: hello-deployment-issues.md - text: Errors During PIN Creation url: hello-errors-during-pin-creation.md - - - \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index dd48cc97b4..2c20b2052d 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -15,4 +15,5 @@ - name: Reference items: - name: - href: \ No newline at end of file + href: + \ No newline at end of file From b9cae92b5b8afb1f57771f5120df16ddfed3079a Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Mon, 25 Jan 2021 10:57:53 -0800 Subject: [PATCH 11/41] updating toc to toc.yml and updating nesting to match restructuring of documentation --- .../hello-for-business/index.yml | 4 +- .../hello-for-business/toc.md | 72 ---------- .../hello-for-business/toc.yml | 132 +++++++++++++++++- 3 files changed, 127 insertions(+), 81 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/toc.md diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index c26699645a..4035fa1cd7 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -89,7 +89,7 @@ landingContent: - text: Conditional Access url: hello-feature-conditional-access.md - text: PIN Reset - url: hello-feature-pin-reset.m + url: hello-feature-pin-reset.md - text: Dual Enrollment url: hello-feature-dual-enrollment.md - text: Dynamic Lock @@ -102,7 +102,7 @@ landingContent: # Card - title: Windows Hello for Business Troubleshooting linkLists: - - linkListType: concept + - linkListType: how-to-guide links: - text: Known Deployment Issues url: hello-deployment-issues.md diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md deleted file mode 100644 index 77e08dfd22..0000000000 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ /dev/null @@ -1,72 +0,0 @@ -# [Windows Hello for Business](hello-identity-verification.md) - -## [Passwordless Strategy](passwordless-strategy.md) - -## [Windows Hello for Business Overview](hello-overview.md) -## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) - -## [Windows Hello for Business Features](hello-features.md) -### [Conditional Access](hello-feature-conditional-access.md) -### [Dual Enrollment](hello-feature-dual-enrollment.md) -### [Dynamic Lock](hello-feature-dynamic-lock.md) -### [Multi-factor Unlock](feature-multifactor-unlock.md) -### [PIN Reset](hello-feature-pin-reset.md) -### [Remote Desktop](hello-feature-remote-desktop.md) - -## [How Windows Hello for Business works](hello-how-it-works.md) -### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive) -#### [Device Registration](hello-how-it-works-device-registration.md) -#### [Provisioning](hello-how-it-works-provisioning.md) -#### [Authentication](hello-how-it-works-authentication.md) -#### [Technology and Terminology](hello-how-it-works-technology.md) - -## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) - -## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - -## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) - -### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) -#### [Prerequisites](hello-hybrid-key-trust-prereqs.md) -#### [New Installation Baseline](hello-hybrid-key-new-install.md) -#### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -#### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -#### [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -#### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) - -### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) -#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -#### [New Installation Baseline](hello-hybrid-cert-new-install.md) -#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) -#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) - -### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) -#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) -#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md) - -### [On Premises Key Trust Deployment](hello-deployment-key-trust.md) -#### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -#### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -##### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -#### [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) - -### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) -#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) - -## [Windows Hello and password changes](hello-and-password-changes.md) -## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - -## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.yml) -### [Windows Hello for Business Videos](hello-videos.md) - -## Windows Hello for Business Troubleshooting -### [Known Deployment Issues](hello-deployment-issues.md) -### [Errors during PIN creation](hello-errors-during-pin-creation.md) -### [Event ID 300 - Windows Hello successfully created](hello-event-300.md) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 2c20b2052d..65d8c83904 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -5,15 +5,133 @@ - name: Windows Hello for Business Overview href: hello-overview.md - name: Concepts + expanded: true items: - - name: - href: + - name: Passwordless Strategy + href: passwordless-strategy.md + - name: Why a PIN is better than a password + href: hello-why-pin-is-better-than-password.md + - name: Windows Hello biometrics in the enterprise + href: hello-biometrics-in-enterprise.md + - name: How Windows Hello for Business works + href: hello-how-it-works.md + - name: Technical Deep Dive + items: + - name: Device Registration + href: hello-how-it-works-device-registration.md + - name: Provisioning + href: hello-how-it-works-provisioning.md + - name: Authentication + href: hello-how-it-works-authentication.md - name: How-to Guides items: - - name: - href: + - name: Windows Hello for Business Deployment Overview + href: hello-deployment-guide.md + - name: Planning a Windows Hello for Business Deployment + href: hello-planning-guide.md + - name: Deployment Prerequisite Overview + href: hello-identity-verification.md + - name: Prepare people to use Windows Hello + href: hello-prepare-people-to-use.md + - name: Deployment Guides + items: + - name: Hybrid Azure AD Joined Key Trust + items: + - name: Hybrid Azure AD Joined Key Trust Deployment + href: hello-hybrid-key-trust.md + - name: Prerequisites + href: hello-hybrid-key-trust-prereqs.md + - name: New Installation Baseline + href: hello-hybrid-key-new-install.md + - name: Configure Directory Synchronization + href: hello-hybrid-key-trust-dirsync.md + - name: Configure Azure Device Registration + href: hello-hybrid-key-trust-devreg.md + - name: Configure Windows Hello for Business settings + href: hello-hybrid-key-whfb-settings.md + - name: Sign-in and Provisioning + href: hello-hybrid-key-whfb-provision.md + - name: Hybrid Azure AD Joined Certificate Trust + items: + - name: Hybrid Azure AD Joined Certificate Trust Deployment + href: hello-hybrid-cert-trust.md + - name: Prerequisites + href: hello-hybrid-cert-trust-prereqs.md + - name: New Installation Baseline + href: hello-hybrid-cert-new-install.md + - name: Configure Azure Device Registration + href: hello-hybrid-cert-trust-devreg.md + - name: Configure Windows Hello for Business settings + href: hello-hybrid-cert-whfb-settings.md + - name: Sign-in and Provisioning + href: hello-hybrid-cert-whfb-provision.md + - name: On-premises SSO for Azure AD Joined Devices + items: + - name: On-premises SSO for Azure AD Joined Devices Deployment + href: hello-hybrid-aadj-sso.md + - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business + href: hello-hybrid-aadj-sso-base.md + - name: Using Certificates for AADJ On-premises Single-sign On + href: hello-hybrid-aadj-sso-cert.md + - name: On-premises Key Trust + items: + - name: On-premises Key Trust Deployment + href: hello-deployment-key-trust.md + - name: Validate Active Directory Prerequisites + href: hello-key-trust-validate-ad-prereq.md + - name: Validate and Configure Public Key Infrastructure + href: hello-key-trust-validate-pki.md + - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + href: hello-key-trust-adfs.md + - name: Validate and Deploy Multi-factor Authentication (MFA) Services + href: hello-key-trust-validate-deploy-mfa.md + - name: Configure Windows Hello for Business policy settings + href: hello-key-trust-policy-settings.md + - name: On-premises Certificate Trust + items: + - name: On-premises Certificate Trust Deployment + href: hello-deployment-cert-trust.md + - name: Validate Active Directory Prerequisites + href: hello-cert-trust-validate-ad-prereq.md + - name: Validate and Configure Public Key Infrastructure + href: hello-cert-trust-validate-pki.md + - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + href: hello-cert-trust-adfs.md + - name: Validate and Deploy Multi-factor Authentication (MFA) Services + href: hello-cert-trust-validate-deploy-mfa.md + - name: Configure Windows Hello for Business policy settings + href: hello-cert-trust-policy-settings.md + - name: Managing Windows Hello for Business in your organization + href: hello-manage-in-organization.md + - name: Windows Hello for Business Features + items: + - name: Conditional Access + href: hello-feature-conditional-access.md + - name: PIN Reset + href: hello-feature-pin-reset.md + - name: Dual Enrollment + href: hello-feature-dual-enrollment.md + - name: Dynamic Lock + href: hello-feature-dynamic-lock.md + - name: Multi-factor Unlock + href: feature-multifactor-unlock.md + - name: Remote Desktop + href: hello-feature-remote-desktop.md + - name: Troubleshooting + items: + - name: Known Deployment Issues + href: hello-deployment-issues.md + - name: Errors During PIN Creation + href: hello-errors-during-pin-creation.md + - name: Event ID 300 - Windows Hello successfully created + href: hello-event-300.md + - name: Windows Hello and password changes + href: hello-and-password-changes.md - name: Reference items: - - name: - href: - \ No newline at end of file + - name: Technology and Terminology + href: hello-how-it-works-technology.md + - name: Frequently Asked Questions (FAQ) + href: hello-faq.yml + - name: Windows Hello for Business videos + href: hello-videos.md From 9d7d199078b9917f52ea02e07840f65cb861b886 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Mon, 25 Jan 2021 11:18:44 -0800 Subject: [PATCH 12/41] fixing issues with toc.yml and index.yml --- .../security/identity-protection/hello-for-business/index.yml | 2 +- windows/security/identity-protection/hello-for-business/toc.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 4035fa1cd7..4282b8e701 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -36,7 +36,7 @@ landingContent: url: hello-biometrics-in-enterprise.md - text: How Windows Hello for Business works url: hello-how-it-works.md - -linkListType: learn + - linkListType: learn links: - text: Technical Deep Dive - Device Registration url: hello-how-it-works-device-registration.md diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 65d8c83904..8a29bb7d81 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -102,7 +102,7 @@ - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - name: Managing Windows Hello for Business in your organization - href: hello-manage-in-organization.md + href: hello-manage-in-organization.md - name: Windows Hello for Business Features items: - name: Conditional Access From 9070c026aada653a5c4953f229221656e3c9eaff Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Thu, 28 Jan 2021 15:17:15 -0800 Subject: [PATCH 13/41] Fixing weird phrasing and list issue --- .../hello-for-business/hello-how-it-works.md | 4 ++-- .../hello-for-business/hello-planning-guide.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 60d7c90219..c9844c3d80 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -21,7 +21,7 @@ ms.reviewer: - Windows 10 -Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. +Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] @@ -48,7 +48,7 @@ For more information read [how provisioning works](hello-how-it-works-provisioni ### Authentication -Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. +With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 260676b71b..0d50683cf6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -45,7 +45,7 @@ There are six major categories you need to consider for a Windows Hello for Busi - Client - Management - Active Directory --Public Key Infrastructure +- Public Key Infrastructure - Cloud ### Baseline Prerequisites From c31f98e043441b191c772b23559fdcdfb751e3d8 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Fri, 29 Jan 2021 20:03:13 +0200 Subject: [PATCH 14/41] Update pull-alerts-using-rest-api.md Fixing numbers that are written as strings in the example. https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9037 --- .../microsoft-defender-atp/pull-alerts-using-rest-api.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 035be361f5..0b426b8e0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -84,10 +84,10 @@ The response will include an access token and expiry information. ```json { "token_type": "Bearer", - "expires_in": "3599", - "ext_expires_in": "0", - "expires_on": "1488720683", - "not_before": "1488720683", + "expires_in": 3599, + "ext_expires_in": 0, + "expires_on": 1488720683, + "not_before": 1488720683, "resource": "https://graph.windows.net", "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..." } From 3d28a9ee0d231981a95413a9aa2566403ae91c17 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Fri, 29 Jan 2021 20:09:53 +0200 Subject: [PATCH 15/41] Update pull-alerts-using-rest-api.md Acrolinx. --- .../microsoft-defender-atp/pull-alerts-using-rest-api.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 0b426b8e0d..49d143d897 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -1,6 +1,6 @@ --- title: Pull Microsoft Defender for Endpoint detections using REST API -description: Learn how call an Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API. +description: Learn how to call a Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API. keywords: detections, pull detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -67,7 +67,7 @@ Use the following method in the Microsoft Defender for Endpoint API to pull dete ## Get an access token Before creating calls to the endpoint, you'll need to get an access token. -You'll use the access token to access the protected resource, which are detections in Microsoft Defender for Endpoint. +You'll use the access token to access the protected resource, which is detections in Microsoft Defender for Endpoint. To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: @@ -115,7 +115,7 @@ Name | Value| Description :---|:---|:--- sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.

**NOTE**: When not specified, all alerts generated in the last two hours are retrieved. untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

**NOTE**: When not specified, the default value will be the current time. -ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. +ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
Example: `ago=PT10M` will pull alerts received in the last 10 minutes. limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

**NOTE**: When not specified, all alerts available in the time range will be retrieved. machinegroups | string | Specifies device groups to pull alerts from.

**NOTE**: When not specified, alerts from all device groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` DeviceCreatedMachineTags | string | Single device tag from the registry. From 236497f1a20efa5048a868c70296b4951eaf78c0 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 14:09:12 -0800 Subject: [PATCH 16/41] Labeled code blocks, added some vertical spacing --- .../feature-multifactor-unlock.md | 140 +++++++++++------- 1 file changed, 89 insertions(+), 51 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index da9b1c7c1e..e6e5fa20c1 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -83,15 +83,17 @@ For example, if you include the PIN and fingerprint credential providers in both The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. ### Rule element -You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
+You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0. + **Example** -``` +```xml ``` ### Signal element -Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. + |Attribute|Value| |---------|-----| @@ -109,8 +111,8 @@ You define the bluetooth signal with additional attributes in the signal element |rssiMin|"*number*"|no| |rssiMaxDelta|"*number*"|no| -Example: -``` +**Example** +```xml @@ -142,63 +144,76 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements. ##### IPv4Prefix -The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.
+The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element. + **Example** -``` +```xml 192.168.100.0/24 ``` + The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration. ##### IPv4Gateway -The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.
+The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element. + **Example** -``` +```xml 192.168.100.10 ``` + ##### IPv4DhcpServer -The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.
+The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element. + **Example** -``` +```xml 192.168.100.10 ``` + ##### IPv4DnsServer -The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
+The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements. + **Example:** -``` +```xml 192.168.100.10 ``` ##### IPv6Prefix -The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.
+The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element. + **Example** -``` +```xml 21DA:D3::/48 ``` ##### IPv6Gateway -The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.
+The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element. + **Example** -``` +```xml 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 ``` ##### IPv6DhcpServer -The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element. + **Example** -``` +```xml 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 +The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements. + **Example** -``` +```xml 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 ``` + ##### dnsSuffix -The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements. + **Example** -``` +```xml corp.contoso.com ``` @@ -210,15 +225,17 @@ The fully qualified domain name of your organization's internal DNS suffix where You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements. #### SSID -Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
-``` +Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required. + +```xml corpnetwifi ``` #### BSSID -Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional. + **Example** -``` +```xml 12-ab-34-ff-e5-46 ``` @@ -235,19 +252,22 @@ Contains the type of security the client uses when connecting to the wireless ne |WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.| **Example** -``` +```xml WPA2-Enterprise ``` #### TrustedRootCA -Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
+Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional. + **Example** -``` +```xml a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa ``` + #### Sig_quality -Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
+Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal. + **Example** -``` +```xml 80 ``` @@ -257,7 +277,8 @@ These examples are wrapped for readability. Once properly formatted, the entire #### Example 1 This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements. -``` + +```xml 10.10.10.0/24 @@ -271,10 +292,11 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, #### Example 2 This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones. This configuration is wrapped for reading. Once properly formatted, the entire XML contents must be a single line. This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true. + >[!NOTE] >Separate each rule element using a comma. -``` +```xml corp.contoso.com @@ -284,9 +306,11 @@ This example configures an IpConfig signal type using a dnsSuffix element and a ``` + #### Example 3 This example configures the same as example 2 using compounding And elements. This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true. -``` + +```xml @@ -296,9 +320,11 @@ This example configures the same as example 2 using compounding And elements. T ``` + #### Example 4 This example configures Wi-Fi as a trusted signal (Windows 10, version 1803) -``` + +```xml contoso @@ -332,22 +358,34 @@ The Group Policy object contains the policy settings needed to trigger Windows H > * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both. > * The multifactor unlock feature is also supported via the Passport for Work CSP. See [Passport For Work CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) for more information. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Multifactor Unlock* in the name box and click **OK**. -5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
- ![Group Policy Editor](images/multifactorUnlock/gpme.png) -8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
- ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png) -9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section. -10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section. -11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. +1. Start the **Group Policy Management Console** (gpmc.msc). - ## Troubleshooting - Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**. +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + +3. Right-click **Group Policy object** and select **New**. + +4. Type *Multifactor Unlock* in the name box and click **OK**. + +5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**. + +6. In the navigation pane, expand **Policies** under **Computer Configuration**. + +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. + + ![Group Policy Editor](images/multifactorUnlock/gpme.png) + +8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values. + + ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png) + +9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors). + +10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider). + +11. Click **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. + +## Troubleshooting +Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**. ### Events From 47bb2e611ed6cfc1c86a26baba8e2e0ea8fe4d3e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 14:10:42 -0800 Subject: [PATCH 17/41] Acrolinx: "the those" --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 0d50683cf6..57805caf8b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -160,7 +160,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in ### Cloud -Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. +Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional. ## Planning a Deployment From 813366c483832642f9265d2cf6eedd7f87ac0749 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 29 Jan 2021 14:55:37 -0800 Subject: [PATCH 18/41] update section on passive uninstall --- .../microsoft-defender-atp/minimum-requirements.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 7d4ff91ed4..f7623205a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -199,14 +199,12 @@ When Microsoft Defender Antivirus is not the active antimalware in your organiza If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy. -If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). +If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > [!NOTE] > Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on. -For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). - ## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard. From 402d66cf2d6e71fc1f511079881b8f70f96e0e88 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:01:47 -0800 Subject: [PATCH 19/41] Update MDE for Mac docs to use new command-line tool syntax --- .../mac-install-manually.md | 4 ++-- .../microsoft-defender-atp/mac-pua.md | 2 +- .../microsoft-defender-atp/mac-resources.md | 2 +- .../mac-schedule-scan-atp.md | 4 ++-- .../microsoft-defender-atp/mac-support-kext.md | 16 ++++++++-------- .../microsoft-defender-atp/mac-support-perf.md | 2 +- .../microsoft-defender-atp/mac-whatsnew.md | 2 +- .../microsoft-defender-atp-mac.md | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 904279814f..375f715a8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -116,7 +116,7 @@ To complete this process, you must have admin privileges on the device. The client device is not associated with orgId. Note that the *orgId* attribute is blank. ```bash - mdatp --health orgId + mdatp health --field org_id ``` 2. Run the Python script to install the configuration file: @@ -128,7 +128,7 @@ To complete this process, you must have admin privileges on the device. 3. Verify that the device is now associated with your organization and reports a valid *orgId*: ```bash - mdatp --health orgId + mdatp health --field org_id ``` After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md index a83bc01f7a..37371fa8f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md @@ -59,7 +59,7 @@ You can configure how PUA files are handled from the command line or from the ma In Terminal, execute the following command to configure PUA protection: ```bash -mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block] ``` ### Use the management console to configure PUA protection: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index 8ab4ccb54a..227df25707 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -149,7 +149,7 @@ To enable autocompletion in zsh: ## Client Microsoft Defender for Endpoint quarantine directory -`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`. +`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`. ## Microsoft Defender for Endpoint portal information diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index b7f2649c73..331b7057ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -47,7 +47,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. sh -c - /usr/local/bin/mdatp --scan --quick + /usr/local/bin/mdatp scan quick RunAtLoad @@ -73,7 +73,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. 2. Save the file as *com.microsoft.wdav.schedquickscan.plist*. > [!TIP] - > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. + > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp scan quick`, to use the `full` option instead of `quick` (i.e. `/usr/local/bin/mdatp scan full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. 3. Open **Terminal**. 4. Enter the following commands to load your file: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index 3cefc80735..dae30c8c6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -37,15 +37,15 @@ If you did not approve the kernel extension during the deployment/installation o ![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png) -You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. +You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. ```bash -mdatp --health +mdatp health ``` ```Output ... -realTimeProtectionAvailable : false -realTimeProtectionEnabled : true +real_time_protection_enabled : true +real_time_protection_available : true ... ``` @@ -90,15 +90,15 @@ In this case, you need to perform the following steps to trigger the approval fl sudo kextutil /Library/Extensions/wdavkext.kext ``` - The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available: + The banner should disappear from the Defender application, and ```mdatp health``` should now report that real-time protection is both enabled and available: ```bash - mdatp --health + mdatp health ``` ```Output ... - realTimeProtectionAvailable : true - realTimeProtectionEnabled : true + real_time_protection_enabled : true + real_time_protection_available : true ... ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 96b85255e0..9aff2517bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -48,7 +48,7 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the Terminal. For security purposes, this operation requires elevation. ```bash - mdatp --config realTimeProtectionEnabled false + mdatp config real-time-protection --value disabled ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 2ae1e83837..55c92067b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -173,7 +173,7 @@ ms.technology: mde - Fixed an issue where Microsoft Defender for Endpoint for Mac was sometimes interfering with Time Machine - Added a new switch to the command-line utility for testing the connectivity with the backend service ```bash - mdatp --connectivity-test + mdatp connectivity test ``` - Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view) - Performance improvements & bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 61c7fe0660..9766c422da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -132,7 +132,7 @@ The output from this command should be similar to the following: Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal: ```bash -mdatp --connectivity-test +mdatp connectivity test ``` ## How to update Microsoft Defender for Endpoint for Mac From 5d73e88e40b16c8c285dcbe144712e9f82d9fcef Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:05:01 -0800 Subject: [PATCH 20/41] One more file --- .../microsoft-defender-atp/mac-sysext-preview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index 3e8f336502..b02e640d1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -45,7 +45,7 @@ These steps assume you already have Defender for Endpoint running on your device - Your device must be in the **Insider Fast update channel**. You can check the update channel by using the following command: ```bash - mdatp --health releaseRing + mdatp health --field release_ring ``` If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted). From 47bd07c3fa4979cb5e91ca1c8bda30eadccec328 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:12:40 -0800 Subject: [PATCH 21/41] Typo --- .../microsoft-defender-atp/mac-support-kext.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index dae30c8c6a..8d726d2f36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -44,7 +44,7 @@ mdatp health ``` ```Output ... -real_time_protection_enabled : true +real_time_protection_enabled : false real_time_protection_available : true ... ``` From f29f13280dc50788d2e9537221dfe79d255d7335 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 16:13:11 -0800 Subject: [PATCH 22/41] Corrected indentation of content in list items --- .../microsoft-defender-atp/mac-support-perf.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 9aff2517bf..cbfb2f15f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -43,13 +43,13 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**. - ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) + ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) - From the Terminal. For security purposes, this operation requires elevation. - ```bash - mdatp config real-time-protection --value disabled - ``` + ```bash + mdatp config real-time-protection --value disabled + ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). From f0446c8eb4ebb6e9c0598e76fee5cf30b2c76462 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 16:15:28 -0800 Subject: [PATCH 23/41] Corrected indentation and, thereby, broken numbering in a procedure --- .../microsoft-defender-atp/mac-sysext-preview.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index b02e640d1e..3a5f837ab4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -66,8 +66,9 @@ Follow the deployment steps that correspond to your environment and your preferr 1. After all deployment prerequisites are met, restart your device to launch the system extension approval and activation process. -You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. -For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run. + You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. + + For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run. > [!IMPORTANT] > You must close and reopen the **System Preferences** > **Security & Privacy** window between subsequent approvals. Otherwise, macOS will not display the next approval. From 73f669e1e90ef76a8a27f03a6ab43d9397c0762f Mon Sep 17 00:00:00 2001 From: Office Content Publishing <34616516+officedocspr@users.noreply.github.com> Date: Sat, 30 Jan 2021 23:33:12 -0800 Subject: [PATCH 24/41] Uploaded file: store-for-business-content-updates.md - 2021-01-30 23:33:11.8570 --- .../includes/store-for-business-content-updates.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index 42f33e8015..82518ed170 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -2,6 +2,14 @@ +## Week of January 25, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified | + + ## Week of January 11, 2021 From c795074fc1a033d438a0467e94f052fb1be7966e Mon Sep 17 00:00:00 2001 From: Sunayana Singh <57405155+sunasing@users.noreply.github.com> Date: Sun, 31 Jan 2021 21:19:08 +0530 Subject: [PATCH 25/41] Added Conditional Access with Intune --- .../ios-configure-features.md | 47 +++++++++++-------- 1 file changed, 27 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index d04735e349..877b61390e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -28,6 +28,33 @@ ms.technology: mde > [!NOTE] > Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +## Conditional Access with Defender for Endpoint for iOS +Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies +based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. + +For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune] https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). + +## Web Protection and VPN + +By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device. + +While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below: + +1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**. +1. Click or tap the "i" button for Microsoft Defender ATP. +1. Toggle off **Connect On Demand** to disable VPN. + + > [!div class="mx-imgBorder"] + > ![VPN config connect on demand](images/ios-vpn-config.png) + +> [!NOTE] +> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**. + +## Co-existence of multiple VPN profiles + +Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time. + + ## Configure compliance policy against jailbroken devices To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. @@ -63,26 +90,6 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i > [!NOTE] > Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. -## Web Protection and VPN - -By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device. - -While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below: - -1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**. -1. Click or tap the "i" button for Microsoft Defender ATP. -1. Toggle off **Connect On Demand** to disable VPN. - - > [!div class="mx-imgBorder"] - > ![VPN config connect on demand](images/ios-vpn-config.png) - -> [!NOTE] -> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**. - -### Co-existence of multiple VPN profiles - -Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time. - ## Report unsafe site Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site. From b7d0e0f861f946c55978c6fecc3e044a3d2e4ca8 Mon Sep 17 00:00:00 2001 From: Thomas Lee Date: Sun, 31 Jan 2021 16:42:08 +0000 Subject: [PATCH 26/41] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md Updated examples to have correct casing based on values in Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.PUAProtectionType enum Added an example for viewing PUA events Removed future tense to improve readability. --- ...anted-apps-microsoft-defender-antivirus.md | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index dc721c7813..0467981cf8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -62,13 +62,13 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium ### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs. Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings. ## Microsoft Defender Antivirus @@ -87,7 +87,7 @@ The notification appears in the usual [quarantine list within the Windows Securi You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). -You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log. > [!TIP] > Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. @@ -125,7 +125,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 7. Select **Enabled** to enable PUA protection. -8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. +8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**. 9. Deploy your Group Policy object as you usually do. @@ -134,25 +134,25 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell -Set-MpPreference -PUAProtection enable +Set-MpPreference -PUAProtection Enabled ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. +Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell -Set-MpPreference -PUAProtection auditmode +Set-MpPreference -PUAProtection AuditMode ``` -Setting `AuditMode` will detect PUAs without blocking them. +Setting `AuditMode` detects PUAs without blocking them. ##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell -Set-MpPreference -PUAProtection disable +Set-MpPreference -PUAProtection Disabled ``` -Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. +Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. @@ -160,6 +160,23 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. +You can also use the ``Get-MpThreat`` cmdlet to view threats that Defender handled. +```console + +CategoryID : 27 +DidThreatExecute : False +IsActive : False +Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/ + fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714} +RollupStatus : 33 +SchemaVersion : 1.0.0.0 +SeverityID : 1 +ThreatID : 213927 +ThreatName : PUA:Win32/InstallCore +TypeID : 0 +PSComputerName : +``` + You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. From 40589e437f4e628d9fe18e780fbc70a721feb3a5 Mon Sep 17 00:00:00 2001 From: Thomas Lee Date: Sun, 31 Jan 2021 22:21:20 +0000 Subject: [PATCH 27/41] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md Changed double-tick to single, as per suggestion. Added blank line around codefencing --- ...ntially-unwanted-apps-microsoft-defender-antivirus.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 0467981cf8..73b795ee62 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -134,14 +134,18 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell + Set-MpPreference -PUAProtection Enabled + ``` Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell + Set-MpPreference -PUAProtection AuditMode + ``` Setting `AuditMode` detects PUAs without blocking them. @@ -150,7 +154,9 @@ Setting `AuditMode` detects PUAs without blocking them. We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell + Set-MpPreference -PUAProtection Disabled + ``` Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. @@ -160,7 +166,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. -You can also use the ``Get-MpThreat`` cmdlet to view threats that Defender handled. +You can also use the `Get-MpThreat` cmdlet to view threats that Defender handled. + ```console CategoryID : 27 From fd30b0a830ebbd942b4cf61181c942b7e7ab5f59 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:05:18 +0200 Subject: [PATCH 28/41] Update Onboard-Windows-10-multi-session-device.md Dropping the rebranding note (was removed from all pages). --- .../Onboard-Windows-10-multi-session-device.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index e63643ed0a..1f03573655 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -24,8 +24,6 @@ ms.technology: mde Applies to: - Windows 10 multi-session running on Windows Virtual Desktop (WVD) -> [!IMPORTANT] -> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. > [!WARNING] > Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported. From ff100e743717b62e52ee29850b2e00a83770bbdb Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:26:56 +0200 Subject: [PATCH 29/41] Update configure-server-endpoints.md Addressing: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8911 https://github.com/MicrosoftDocs/windows-itpro-docs/pull/8996/files Also adding a note regarding US Gov customers and MMA setup. --- .../configure-server-endpoints.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 3e1fad5b1a..abdf7a98e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -42,6 +42,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). +
## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 @@ -56,7 +57,7 @@ After completing the onboarding steps using any of the provided options, you'll > [!NOTE] -> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). +> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) @@ -102,6 +103,8 @@ Perform the following steps to fulfill the onboarding requirements: On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). +> [!NOTE] +> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government". @@ -140,6 +143,8 @@ You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsof After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). +
+ ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: @@ -183,6 +188,8 @@ Support for Windows Server provides deeper insight into server activities, cover For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus). +
+ ## Integration with Azure Security Center Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. @@ -202,6 +209,7 @@ Data collected by Defender for Endpoint is stored in the geo-location of the ten > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. +
## Configure and update System Center Endpoint Protection clients @@ -212,7 +220,7 @@ The following steps are required to enable this integration: - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - +
## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. @@ -264,6 +272,9 @@ To offboard the Windows server, you can use either of the following methods: $AgentCfg.ReloadConfiguration() ``` + +
+ ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard non-Windows devices](configure-endpoints-non-windows.md) From bd6233826f769c56fb2f12a191eae8fe0588cd9e Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:35:51 +0200 Subject: [PATCH 30/41] Update configure-server-endpoints.md Some Acrolinx changes. --- .../microsoft-defender-atp/configure-server-endpoints.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index abdf7a98e7..8ac55c19b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -63,7 +63,7 @@ After completing the onboarding steps using any of the provided options, you'll ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). -If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. +If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. In general, you'll need to take the following steps: 1. Fulfill the onboarding requirements outlined in **Before you begin** section. @@ -184,14 +184,14 @@ Support for Windows Server provides deeper insight into server activities, cover ```sc.exe query Windefend``` - If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). + If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
## Integration with Azure Security Center -Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. +Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: - Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). From 0c2f8a5a264c3f5f59ad8ef0475298d80ee851e7 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:43:10 +0200 Subject: [PATCH 31/41] Update gov.md Adding: 1. Portal URLs. 2. Power Automate & Logic Apps integrations are now available for GCC. 3. Clarification regarding MMA & patches. --- .../microsoft-defender-atp/gov.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 2bde8df0d5..2fd68eca5a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -31,8 +31,18 @@ This offering is currently available to Microsoft 365 GCC and GCC High customers > [!NOTE] > If you are a "GCC on Commercial" customer, please refer to the public documentation pages. +
+## Portal URLs +The following are the specific Microsoft Defender for Endpoint portal URLs: + +Customer type | Portal URL +:---|:--- +GCC | https://gcc.securitycenter.microsoft.us +GCC High | https://securitycenter.microsoft.us + +
## Endpoint versions @@ -63,7 +73,10 @@ Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../im iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog > [!NOTE] -> A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment. +> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment. + +> [!NOTE] +> Trying to onboard Windows Server 2016/2012 R2/2008 R2 SP1 or Windows 8.1 Enterprise/8 Pro/7 SP1 Enterprise/7 SP1 Pro using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud". ### OS versions when using Azure Defender for Servers The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp): @@ -88,7 +101,6 @@ Defender for Endpoint GCC High specific | `winatp-gw-usgt.microsoft.com`
`win
- ## API Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs: @@ -100,7 +112,6 @@ SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https:/
- ## Feature parity with commercial Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight. @@ -126,6 +137,6 @@ Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Microsoft Threat Experts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog From 807f04e1810c7b76dc6723c07cf0635bd5e710f4 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:51:12 +0200 Subject: [PATCH 32/41] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 2fd68eca5a..5223c1229a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -32,10 +32,8 @@ This offering is currently available to Microsoft 365 GCC and GCC High customers > [!NOTE] > If you are a "GCC on Commercial" customer, please refer to the public documentation pages. -
- ## Portal URLs -The following are the specific Microsoft Defender for Endpoint portal URLs: +The following are the Microsoft Defender for Endpoint portal URLs for US Government customers: Customer type | Portal URL :---|:--- From 2c2946d03a75384998f916a26260b8c8a0ca1a6c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 1 Feb 2021 09:05:21 +0530 Subject: [PATCH 33/41] typo correction as per the user report #9050 , replaced s to is --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 76e17626d7..01f89be64e 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -46,7 +46,7 @@ Application compatibility testing has historically been a burden when approachin Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10. -For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). +For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). ### Device compatibility From 8cdd0d0ee153d5c8ec94f7fb3d1d31011f08f82d Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 18:57:44 +0200 Subject: [PATCH 34/41] Update troubleshoot-asr.md https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9055 --- .../microsoft-defender-atp/troubleshoot-asr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index 8a626f4670..e507384f99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -100,7 +100,7 @@ When you report a problem with attack surface reduction rules, you are asked to 1. Open an elevated command prompt and change to the Windows Defender directory: ```console - cd c:\program files\windows defender + cd "c:\program files\windows defender" ``` 2. Run this command to generate the diagnostic logs: From f13504560a9849a630ce0b74b5fe3781e3c613b1 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 19:03:07 +0200 Subject: [PATCH 35/41] Update troubleshoot-asr.md Acrolinx. --- .../troubleshoot-asr.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index e507384f99..dd95924a68 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -29,9 +29,9 @@ ms.technology: mde When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as: -- A rule blocks a file, process, or performs some other action that it should not (false positive) +- A rule blocks a file, process, or performs some other action that it shouldn't (false positive) -- A rule does not work as described, or does not block a file or process that it should (false negative) +- A rule doesn't work as described, or doesn't block a file or process that it should (false negative) There are four steps to troubleshooting these problems: @@ -53,7 +53,7 @@ Attack surface reduction rules will only work on devices with the following cond - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). If these prerequisites have all been met, proceed to the next step to test the rule in audit mode. @@ -61,7 +61,7 @@ If these prerequisites have all been met, proceed to the next step to test the r You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. -Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. +Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with. 1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run. @@ -69,19 +69,19 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct 3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. -If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. +If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled. Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. -If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: +If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation: -1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). +1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). -2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). +2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). ## Add exclusions for a false positive -If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. +If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md). @@ -95,7 +95,7 @@ Use the [Windows Defender Security Intelligence web-based submission form](https ## Collect diagnostic data for file submissions -When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. +When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: From 8d274b26124aa1bf9935770635ffc6ef49baa6cf Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 19:06:40 +0200 Subject: [PATCH 36/41] Update troubleshoot-asr.md --- .../microsoft-defender-atp/troubleshoot-asr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index dd95924a68..c25e934d20 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -109,7 +109,7 @@ When you report a problem with attack surface reduction rules, you're asked to c mpcmdrun -getfiles ``` -3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. +3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. ## Related articles From d13ea7f085443acd43a9fa6bb706bb7612c47696 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 1 Feb 2021 10:44:16 -0800 Subject: [PATCH 37/41] Update ios-configure-features.md --- .../ios-configure-features.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index 877b61390e..10354d8762 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -32,7 +32,7 @@ ms.technology: mde Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune] https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). +For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune] (https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Web Protection and VPN @@ -64,28 +64,28 @@ To protect corporate data from being accessed on jailbroken iOS devices, we reco Follow the steps below to create a compliance policy against jailbroken devices. -1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. +1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. > [!div class="mx-imgBorder"] > ![Create Policy](images/ios-jb-policy.png) -1. Specify a name of the policy, example "Compliance Policy for Jailbreak". -1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. +2. Specify a name of the policy, for example "Compliance Policy for Jailbreak". +3. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. > [!div class="mx-imgBorder"] > ![Policy Settings](images/ios-jb-settings.png) -1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**. +4. In the *Action for noncompliance* section, select the actions as per your requirements and select **Next**. > [!div class="mx-imgBorder"] > ![Policy Actions](images/ios-jb-actions.png) -1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**. -1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. +5. In the *Assignments* section, select the user groups that you want to include for this policy and then select **Next**. +6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. ## Configure custom indicators -Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators. +Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). > [!NOTE] > Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. From 1adb141e2b2f459d735481a7ddbf7f10311f7322 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Mon, 1 Feb 2021 11:32:08 -0800 Subject: [PATCH 38/41] pencil edit --- .../microsoft-defender-atp/ios-configure-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index 10354d8762..00fc73300c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -32,7 +32,7 @@ ms.technology: mde Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune] (https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). +For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Web Protection and VPN From 5eab1f1af72b8f6bb950f48b8d7e1acd08f53206 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 1 Feb 2021 13:08:11 -0800 Subject: [PATCH 39/41] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6c6cd0335b..4af39e6318 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -16524,6 +16524,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", + "redirect_document_id": false } ] } From 27bc25e7daf6b9cc92222580249de5bc691b6725 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 1 Feb 2021 13:47:35 -0800 Subject: [PATCH 40/41] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...entially-unwanted-apps-microsoft-defender-antivirus.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 73b795ee62..5b962456c2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 01/08/2021 +ms.date: 02/01/2021 ms.reviewer: manager: dansimp ms.technology: mde @@ -164,9 +164,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u ### View PUA events -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. - -You can also use the `Get-MpThreat` cmdlet to view threats that Defender handled. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example: ```console @@ -194,7 +192,7 @@ Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). -## Related articles +## See also - [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) From c38a104e09a6336cc2d137b81f58016861192a53 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 1 Feb 2021 14:28:43 -0800 Subject: [PATCH 41/41] delete page --- .openpublishing.redirection.json | 5 ++ .../supported-response-apis.md | 52 ------------------- 2 files changed, 5 insertions(+), 52 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6c6cd0335b..3e7809a16e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -2044,6 +2044,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list", + "redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md", diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md deleted file mode 100644 index 111a228fa4..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Supported Microsoft Defender Advanced Threat Protection response APIs -description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls. -keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.technology: mde ---- - -# Supported Microsoft Defender for Endpoint query APIs - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -> [!TIP] -> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) - -Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls. - -## In this section -Topic | Description -:---|:--- -Collect investigation package | Run this API to collect an investigation package from a device. -Isolate device | Run this API to isolate a device from the network. -Unisolate device | Remove a device from isolation. -Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. -Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated. -Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. -Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys. -Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage. -Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. -Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus. -Get package SAS URI | Run this API to get a URI that allows downloading an investigation package. -Get MachineAction object | Run this API to get MachineAction object. -Get MachineActions collection | Run this to get MachineAction collection. -Get FileActions collection | Run this API to get FileActions collection. -Get FileMachineAction object | Run this API to get FileMachineAction object. -Get FileMachineActions collection | Run this API to get FileMachineAction collection.