From 5547d1d461653e0fe57b7bd77ed99251c8e52e3e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 09:54:04 -0800 Subject: [PATCH 01/76] antivirus platform updates started section for older versions --- ...on-updates-microsoft-defender-antivirus.md | 2 +- ...-baselines-microsoft-defender-antivirus.md | 265 ++++++++++++++++++ 2 files changed, 266 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index 613d0bb3b1..7dcee83d5a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Manage how and where Microsoft Defender AV receives updates +title: Manage how and where Microsoft Defender Antivirus receives updates description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates. keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus search.product: eADQiWindows 10XVcnh diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 9700678379..e5bb66a2ff 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -336,6 +336,271 @@ When this update is installed, the device needs the jump package 4.10.2001.10 to
+### Previous version updates: Technical upgrade support only + +
+ + +
+ November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4) + + Security intelligence update version: **1.327.1854.0** + Released: **December 03, 2020** + Platform: **4.18.2011.6** + Engine: **1.1.17700.4** + Support phase: **Security and Critical Updates** + +### What's new +- Improved SmartScreen status support logging +- Apply CPU throttling policy to manually initiated scans + +### Known Issues +No known issues +
+
+ October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5) + + Security intelligence update version: **1.327.7.0** + Released: **October 29, 2020** + Platform: **4.18.2010.7** + Engine: **1.1.17600.5** + Support phase: **Security and Critical Updates** + +### What's new +- New descriptions for special threat categories +- Improved emulation capabilities +- Improved host address allow/block capabilities +- New option in Defender CSP to Ignore merging of local user exclusions + +### Known Issues +No known issues +
+
+ September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4) + + Security intelligence update version: **1.325.10.0** + Released: **October 01, 2020** + Platform: **4.18.2009.7** + Engine: **1.1.17500.4** + Support phase: **Security and Critical Updates** + +### What's new +- Admin permissions are required to restore files in quarantine +- XML formatted events are now supported +- CSP support for ignoring exclusion merges +- New management interfaces for: + - UDP Inspection + - Network Protection on Server 2019 + - IP Address exclusions for Network Protection +- Improved visibility into TPM measurements +- Improved Office VBA module scanning + +### Known Issues +No known issues +
+
+
+ August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5) + + Security intelligence update version: **1.323.9.0** + Released: **August 27, 2020** + Platform: **4.18.2008.9** + Engine: **1.1.17400.5** + Support phase: **Security and Critical Updates** + +### What's new + +- Add more telemetry events +- Improved scan event telemetry +- Improved behavior monitoring for memory scans +- Improved macro streams scanning +- Added `AMRunningMode` to Get-MpComputerStatus PowerShell cmdlet +- [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program. + + +### Known Issues +No known issues +
+
+ +
+ July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4) + + Security intelligence update version: **1.321.30.0** + Released: **July 28, 2020** + Platform: **4.18.2007.8** + Engine: **1.1.17300.4** + Support phase: **Security and Critical Updates** + +### What's new +* Improved telemetry for BITS +* Improved Authenticode code signing certificate validation + +### Known Issues +No known issues +
+
+ +
+ June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2) + + Security intelligence update version: **1.319.20.0** + Released: **June 22, 2020** + Platform: **4.18.2006.10** + Engine: **1.1.17200.2** + Support phase: **Technical upgrade Support (Only)** + +### What's new +* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) +* Skipping aggressive catchup scan in Passive mode. +* Allow Defender to update on metered connections +* Fixed performance tuning when caching is disabled +* Fixed registry query +* Fixed scantime randomization in ADMX + +### Known Issues +No known issues +
+
+ +
+ May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2) + + Security intelligence update version: **1.317.20.0** + Released: **May 26, 2020** + Platform: **4.18.2005.4** + Engine: **1.1.17100.2** + Support phase: **Technical upgrade Support (Only)** + +### What's new +* Improved logging for scan events +* Improved user mode crash handling. +* Added event tracing for Tamper protection +* Fixed AMSI Sample submission +* Fixed AMSI Cloud blocking +* Fixed Security update install log + +### Known Issues +No known issues +
+
+ +
+ April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2) + + Security intelligence update version: **1.315.12.0** + Released: **April 30, 2020** + Platform: **4.18.2004.6** + Engine: **1.1.17000.2** + Support phase: **Technical upgrade Support (Only)** + +### What's new +* WDfilter improvements +* Add more actionable event data to attack surface reduction detection events +* Fixed version information in diagnostic data and WMI +* Fixed incorrect platform version in UI after platform update +* Dynamic URL intel for Fileless threat protection +* UEFI scan capability +* Extend logging for updates + +### Known Issues +No known issues +
+
+ +
+ March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2) + + Security intelligence update version: **1.313.8.0** + Released: **March 24, 2020** + Platform: **4.18.2003.8** + Engine: **1.1.16900.4** + Support phase: **Technical upgrade Support (Only)** + +### What's new + +* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) +* Improve diagnostic capability +* reduce Security intelligence timeout (5 min) +* Extend AMSI engine internal log capability +* Improve notification for process blocking + +### Known Issues +[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan. + +
+
+ +
+ + February-2020 (Platform: - | Engine: 1.1.16800.2) + + + Security intelligence update version: **1.311.4.0** + Released: **February 25, 2020** + Platform/Client: **-** + Engine: **1.1.16800.2** + Support phase: **N/A** + +### What's new + + +### Known Issues +No known issues +
+
+ +
+ January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2) + + +Security intelligence update version: **1.309.32.0** +Released: **January 30, 2020** +Platform/Client: **4.18.2001.10** +Engine: **1.1.16700.2** +Support phase: **Technical upgrade Support (Only)** + +### What's new + +* Fixed BSOD on WS2016 with Exchange +* Support platform updates when TMP is redirected to network path +* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) +* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) +* Fix 4.18.1911.3 hang + +### Known Issues +[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform. +
+> [!IMPORTANT] +> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. +
+> [!IMPORTANT] +> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update) +
+
+ +
+ November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7) + +Security intelligence update version: **1.307.13.0** +Released: **December 7, 2019** +Platform: **4.18.1911.3** +Engine: **1.1.17000.7** +Support phase: **No support** + +### What's new + +* Fixed MpCmdRun tracing level +* Fixed WDFilter version info +* Improve notifications (PUA) +* add MRT logs to support files + +### Known Issues +When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version. +
+
+ + ## Microsoft Defender Antivirus platform support Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version: From 2e112248e6888198bc74baf1fe9e35a8fcb7cff4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 09:56:26 -0800 Subject: [PATCH 02/76] Update manage-updates-baselines-microsoft-defender-antivirus.md pared down current version section --- ...-baselines-microsoft-defender-antivirus.md | 200 ------------------ 1 file changed, 200 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index e5bb66a2ff..369b94de5a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -135,206 +135,6 @@ No known issues No known issues
-
- August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5) - - Security intelligence update version: **1.323.9.0** - Released: **August 27, 2020** - Platform: **4.18.2008.9** - Engine: **1.1.17400.5** - Support phase: **Security and Critical Updates** - -### What's new - -- Add more telemetry events -- Improved scan event telemetry -- Improved behavior monitoring for memory scans -- Improved macro streams scanning -- Added `AMRunningMode` to Get-MpComputerStatus PowerShell cmdlet -- [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program. - - -### Known Issues -No known issues -
-
- -
- July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4) - - Security intelligence update version: **1.321.30.0** - Released: **July 28, 2020** - Platform: **4.18.2007.8** - Engine: **1.1.17300.4** - Support phase: **Security and Critical Updates** - -### What's new -* Improved telemetry for BITS -* Improved Authenticode code signing certificate validation - -### Known Issues -No known issues -
-
- -
- June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2) - - Security intelligence update version: **1.319.20.0** - Released: **June 22, 2020** - Platform: **4.18.2006.10** - Engine: **1.1.17200.2** - Support phase: **Technical upgrade Support (Only)** - -### What's new -* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) -* Skipping aggressive catchup scan in Passive mode. -* Allow Defender to update on metered connections -* Fixed performance tuning when caching is disabled -* Fixed registry query -* Fixed scantime randomization in ADMX - -### Known Issues -No known issues -
-
- -
- May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2) - - Security intelligence update version: **1.317.20.0** - Released: **May 26, 2020** - Platform: **4.18.2005.4** - Engine: **1.1.17100.2** - Support phase: **Technical upgrade Support (Only)** - -### What's new -* Improved logging for scan events -* Improved user mode crash handling. -* Added event tracing for Tamper protection -* Fixed AMSI Sample submission -* Fixed AMSI Cloud blocking -* Fixed Security update install log - -### Known Issues -No known issues -
-
- -
- April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2) - - Security intelligence update version: **1.315.12.0** - Released: **April 30, 2020** - Platform: **4.18.2004.6** - Engine: **1.1.17000.2** - Support phase: **Technical upgrade Support (Only)** - -### What's new -* WDfilter improvements -* Add more actionable event data to attack surface reduction detection events -* Fixed version information in diagnostic data and WMI -* Fixed incorrect platform version in UI after platform update -* Dynamic URL intel for Fileless threat protection -* UEFI scan capability -* Extend logging for updates - -### Known Issues -No known issues -
-
- -
- March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2) - - Security intelligence update version: **1.313.8.0** - Released: **March 24, 2020** - Platform: **4.18.2003.8** - Engine: **1.1.16900.4** - Support phase: **Technical upgrade Support (Only)** - -### What's new - -* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) -* Improve diagnostic capability -* reduce Security intelligence timeout (5 min) -* Extend AMSI engine internal log capability -* Improve notification for process blocking - -### Known Issues -[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan. - -
-
- -
- - February-2020 (Platform: - | Engine: 1.1.16800.2) - - - Security intelligence update version: **1.311.4.0** - Released: **February 25, 2020** - Platform/Client: **-** - Engine: **1.1.16800.2** - Support phase: **N/A** - -### What's new - - -### Known Issues -No known issues -
-
- -
- January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2) - - -Security intelligence update version: **1.309.32.0** -Released: **January 30, 2020** -Platform/Client: **4.18.2001.10** -Engine: **1.1.16700.2** -Support phase: **Technical upgrade Support (Only)** - -### What's new - -* Fixed BSOD on WS2016 with Exchange -* Support platform updates when TMP is redirected to network path -* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) -* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) -* Fix 4.18.1911.3 hang - -### Known Issues -[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform. -
-> [!IMPORTANT] -> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. -
-> [!IMPORTANT] -> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update) -
-
- -
- November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7) - -Security intelligence update version: **1.307.13.0** -Released: **December 7, 2019** -Platform: **4.18.1911.3** -Engine: **1.1.17000.7** -Support phase: **No support** - -### What's new - -* Fixed MpCmdRun tracing level -* Fixed WDFilter version info -* Improve notifications (PUA) -* add MRT logs to support files - -### Known Issues -When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version. -
-
### Previous version updates: Technical upgrade support only From 416714f3047acf819fdd17f7a1af61e609ccba4a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 09:57:33 -0800 Subject: [PATCH 03/76] Update manage-updates-baselines-microsoft-defender-antivirus.md set the previous versions section right --- ...-baselines-microsoft-defender-antivirus.md | 58 ------------------- 1 file changed, 58 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 369b94de5a..51619b0baa 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -141,64 +141,6 @@ No known issues
-
- November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4) - - Security intelligence update version: **1.327.1854.0** - Released: **December 03, 2020** - Platform: **4.18.2011.6** - Engine: **1.1.17700.4** - Support phase: **Security and Critical Updates** - -### What's new -- Improved SmartScreen status support logging -- Apply CPU throttling policy to manually initiated scans - -### Known Issues -No known issues -
-
- October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5) - - Security intelligence update version: **1.327.7.0** - Released: **October 29, 2020** - Platform: **4.18.2010.7** - Engine: **1.1.17600.5** - Support phase: **Security and Critical Updates** - -### What's new -- New descriptions for special threat categories -- Improved emulation capabilities -- Improved host address allow/block capabilities -- New option in Defender CSP to Ignore merging of local user exclusions - -### Known Issues -No known issues -
-
- September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4) - - Security intelligence update version: **1.325.10.0** - Released: **October 01, 2020** - Platform: **4.18.2009.7** - Engine: **1.1.17500.4** - Support phase: **Security and Critical Updates** - -### What's new -- Admin permissions are required to restore files in quarantine -- XML formatted events are now supported -- CSP support for ignoring exclusion merges -- New management interfaces for: - - UDP Inspection - - Network Protection on Server 2019 - - IP Address exclusions for Network Protection -- Improved visibility into TPM measurements -- Improved Office VBA module scanning - -### Known Issues -No known issues -
-
August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5) From 73a985f3c311e4c1d5ca49669d34a88560c1a6ed Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 10:04:11 -0800 Subject: [PATCH 04/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 51619b0baa..44ab2eeb3b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -138,8 +138,7 @@ No known issues ### Previous version updates: Technical upgrade support only -
- +Previous version updates are listed below, and are provided for technical upgrade support only.
August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5) From cc317b344eb1ab1b72f9447bee04657ef53ea525 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 10:06:27 -0800 Subject: [PATCH 05/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- ...s-baselines-microsoft-defender-antivirus.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 44ab2eeb3b..fcdf912ecb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -174,8 +174,9 @@ No known issues  Support phase: **Security and Critical Updates** ### What's new -* Improved telemetry for BITS -* Improved Authenticode code signing certificate validation + +- Improved telemetry for BITS +- Improved Authenticode code signing certificate validation ### Known Issues No known issues @@ -192,12 +193,13 @@ No known issues  Support phase: **Technical upgrade Support (Only)** ### What's new -* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) -* Skipping aggressive catchup scan in Passive mode. -* Allow Defender to update on metered connections -* Fixed performance tuning when caching is disabled -* Fixed registry query -* Fixed scantime randomization in ADMX + +- Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) +- Skipping aggressive catchup scan in Passive mode. +- Allow Defender to update on metered connections +- Fixed performance tuning when caching is disabled +- Fixed registry query +- Fixed scantime randomization in ADMX ### Known Issues No known issues From b8b63496d4d95ade904771ceebe2963fa6b155b0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 10:08:53 -0800 Subject: [PATCH 06/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index fcdf912ecb..e03dbc86af 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -138,7 +138,7 @@ No known issues ### Previous version updates: Technical upgrade support only -Previous version updates are listed below, and are provided for technical upgrade support only. +Previous version updates are listed below, and are provided for technical upgrade support only.
August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5) From 826a1a8811b502b5ea1919939cbd17e6d907a624 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 10:15:42 -0800 Subject: [PATCH 07/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index e03dbc86af..1a71bfa5e6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -68,7 +68,7 @@ For more information, see [Manage the sources for Microsoft Defender Antivirus p ## Monthly platform and engine versions -For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). +For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). All our updates contain - performance improvements; @@ -138,7 +138,8 @@ No known issues ### Previous version updates: Technical upgrade support only -Previous version updates are listed below, and are provided for technical upgrade support only.
+Previous version updates are listed below, and are provided for technical upgrade support only. +
August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5) From fca8929adac3fdb1f6b1477f674cab953066fdab Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 10:20:10 -0800 Subject: [PATCH 08/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- ...-baselines-microsoft-defender-antivirus.md | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 1a71bfa5e6..ced116a6ed 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -148,7 +148,6 @@ Previous version updates are listed below, and are provided for technical upgrad  Released: **August 27, 2020**  Platform: **4.18.2008.9**  Engine: **1.1.17400.5** - Support phase: **Security and Critical Updates** ### What's new @@ -172,7 +171,7 @@ No known issues  Released: **July 28, 2020**  Platform: **4.18.2007.8**  Engine: **1.1.17300.4** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new @@ -191,7 +190,7 @@ No known issues  Released: **June 22, 2020**  Platform: **4.18.2006.10**  Engine: **1.1.17200.2** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new @@ -214,7 +213,7 @@ No known issues  Released: **May 26, 2020**  Platform: **4.18.2005.4**  Engine: **1.1.17100.2** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new * Improved logging for scan events @@ -236,7 +235,7 @@ No known issues  Released: **April 30, 2020**  Platform: **4.18.2004.6**  Engine: **1.1.17000.2** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new * WDfilter improvements @@ -259,7 +258,7 @@ No known issues  Released: **March 24, 2020**  Platform: **4.18.2003.8**  Engine: **1.1.16900.4** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new @@ -280,11 +279,11 @@ No known issues February-2020 (Platform: - | Engine: 1.1.16800.2) - Security intelligence update version: **1.311.4.0** - Released: **February 25, 2020** - Platform/Client: **-** - Engine: **1.1.16800.2** - Support phase: **N/A** + Security intelligence update version: **1.311.4.0** + Released: **February 25, 2020** + Platform/Client: **-** + Engine: **1.1.16800.2** + Support phase: **Technical upgrade support (only)** ### What's new @@ -302,7 +301,7 @@ Security intelligence update version: **1.309.32.0** Released: **January 30, 2020** Platform/Client: **4.18.2001.10** Engine: **1.1.16700.2** -Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new @@ -317,8 +316,7 @@ Support phase: **Technical upgrade Support (Only)**
> [!IMPORTANT] > This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. -
-> [!IMPORTANT] +> > This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update)
From dc492ee3d0ce928a299c4a0cfa47a44dfa6a9ded Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 10:21:36 -0800 Subject: [PATCH 09/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- ...e-updates-baselines-microsoft-defender-antivirus.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index ced116a6ed..1a06c92c1c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -305,11 +305,11 @@ Engine: **1.1.16700.2** ### What's new -* Fixed BSOD on WS2016 with Exchange -* Support platform updates when TMP is redirected to network path -* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) -* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) -* Fix 4.18.1911.3 hang +- Fixed BSOD on WS2016 with Exchange +- Support platform updates when TMP is redirected to network path +- Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) +- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) +- Fix 4.18.1911.3 hang ### Known Issues [**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform. From d96c503113c007458469f126bae0d898f3ed4b14 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 10:44:40 -0800 Subject: [PATCH 10/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- ...pdates-baselines-microsoft-defender-antivirus.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 1a06c92c1c..5ad59164fb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -47,7 +47,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). -For a list of recent security intelligence updates, please visit: [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes). +For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes). Engine updates are included with security intelligence updates and are released on a monthly cadence. @@ -315,9 +315,12 @@ Engine: **1.1.16700.2** [**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
> [!IMPORTANT] -> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. -> -> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update) +> This update is: +> - needed by RS1 devices running lower version of the platform to support SHA2; +> - has a reboot flag for systems that have hanging issues; +> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability; +> - is categorized as an update due to the reboot requirement; and +> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
@@ -439,7 +442,7 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind | Article | Description | |:---|:---| |[Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images) | Review antimalware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 installation images. | -|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. | +|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through many sources. | |[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. | |[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. | |[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. | From 8dcc321629d71e40ba144d416f16a58282dd616d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 10:53:25 -0800 Subject: [PATCH 11/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 5ad59164fb..5f8677d0a2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -74,7 +74,7 @@ All our updates contain - performance improvements; - serviceability improvements; and - integration improvements (Cloud, Microsoft 365 Defender). -
+

From a7c9d594764abfdcf662c3209e6f38b5de726d38 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 12:47:02 -0800 Subject: [PATCH 12/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 5f8677d0a2..0eca49c841 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -139,7 +139,7 @@ No known issues ### Previous version updates: Technical upgrade support only Previous version updates are listed below, and are provided for technical upgrade support only. -
+

August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5) From e09403ba403f4b2eef8e5ffc73e38487695d0fdd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 12:49:31 -0800 Subject: [PATCH 13/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- ...-baselines-microsoft-defender-antivirus.md | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 0eca49c841..8c2cf4a503 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -216,12 +216,13 @@ No known issues  Support phase: **Technical upgrade support (only)** ### What's new -* Improved logging for scan events -* Improved user mode crash handling. -* Added event tracing for Tamper protection -* Fixed AMSI Sample submission -* Fixed AMSI Cloud blocking -* Fixed Security update install log + +- Improved logging for scan events +- Improved user mode crash handling. +- Added event tracing for Tamper protection +- Fixed AMSI Sample submission +- Fixed AMSI Cloud blocking +- Fixed Security update install log ### Known Issues No known issues @@ -238,13 +239,13 @@ No known issues  Support phase: **Technical upgrade support (only)** ### What's new -* WDfilter improvements -* Add more actionable event data to attack surface reduction detection events -* Fixed version information in diagnostic data and WMI -* Fixed incorrect platform version in UI after platform update -* Dynamic URL intel for Fileless threat protection -* UEFI scan capability -* Extend logging for updates +- WDfilter improvements +- Add more actionable event data to attack surface reduction detection events +- Fixed version information in diagnostic data and WMI +- Fixed incorrect platform version in UI after platform update +- Dynamic URL intel for Fileless threat protection +- UEFI scan capability +- Extend logging for updates ### Known Issues No known issues @@ -262,11 +263,11 @@ No known issues ### What's new -* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) -* Improve diagnostic capability -* reduce Security intelligence timeout (5 min) -* Extend AMSI engine internal log capability -* Improve notification for process blocking +- CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) +- Improve diagnostic capability +- reduce Security intelligence timeout (5 min) +- Extend AMSI engine internal log capability +- Improve notification for process blocking ### Known Issues [**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan. @@ -335,10 +336,10 @@ Support phase: **No support** ### What's new -* Fixed MpCmdRun tracing level -* Fixed WDFilter version info -* Improve notifications (PUA) -* add MRT logs to support files +- Fixed MpCmdRun tracing level +- Fixed WDFilter version info +- Improve notifications (PUA) +- add MRT logs to support files ### Known Issues When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version. @@ -350,10 +351,9 @@ When this update is installed, the device needs the jump package 4.10.2001.10 to Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version: -* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. +- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. - -* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* +- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* \* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version. @@ -437,7 +437,7 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
-## See also +## Additional resources | Article | Description | |:---|:---| From e70b00fdb317a77d4af5e179e4a46a255763c772 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 12:51:23 -0800 Subject: [PATCH 14/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 8c2cf4a503..ab98ec1db1 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp -ms.date: 12/05/2020 +ms.date: 01/06/2021 --- # Manage Microsoft Defender Antivirus updates and apply baselines From 3d534fd878ebe46062e47359c39ad3adc08c1334 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 12:52:38 -0800 Subject: [PATCH 15/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index ab98ec1db1..05f8205f31 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -377,7 +377,9 @@ Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsof ## Updates for Deployment Image Servicing and Management (DISM) -We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). +We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. + +For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
1.1.2012.01 From 626b657efce0437d1b286550b1a9d53c40f6f678 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 12:56:43 -0800 Subject: [PATCH 16/76] Update manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md --- ...updates-mobile-devices-vms-microsoft-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index fbbf677933..dd49d3b0d9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Define how mobile devices are updated by Microsoft Defender AV -description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates. +title: Define how mobile devices are updated by Microsoft Defender Antivirus +description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender Antivirus protection updates. keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override search.product: eADQiWindows 10XVcnh ms.prod: w10 From f0bac1eec4ef42ca874ba877510e85e8ef7f63b9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 12:56:56 -0800 Subject: [PATCH 17/76] added ms.reviewer --- ...e-protection-update-schedule-microsoft-defender-antivirus.md | 2 +- .../manage-protection-updates-microsoft-defender-antivirus.md | 2 +- .../manage-updates-baselines-microsoft-defender-antivirus.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index add2af0433..acbc359a64 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp --- diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index 7dcee83d5a..9cfcd64a5d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp ms.custom: nextgen --- diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 05f8205f31..943036f62c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp ms.date: 01/06/2021 --- From f11d7c5bb46be69cdab41a8e9041a45dcd272e46 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 13:04:22 -0800 Subject: [PATCH 18/76] Update manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md --- ...es-mobile-devices-vms-microsoft-defender-antivirus.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index dd49d3b0d9..788464ca9c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -11,7 +11,6 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 ms.reviewer: manager: dansimp --- @@ -25,14 +24,14 @@ manager: dansimp - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. +Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates. -There are two settings that are particularly useful for these devices: +There are two settings that are useful for these devices: -- Opt-in to Microsoft Update on mobile computers without a WSUS connection +- Opt in to Microsoft Update on mobile computers without a WSUS connection - Prevent Security intelligence updates when running on battery power -The following topics may also be useful in these situations: +The following articles may also be useful in these situations: - [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) - [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md) From c3db2e4504e7aef50e2875f930c91906f16fbd3c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 13:05:03 -0800 Subject: [PATCH 19/76] Update manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md --- ...-mobile-devices-vms-microsoft-defender-antivirus.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index 788464ca9c..d4f2648721 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -36,21 +36,21 @@ The following articles may also be useful in these situations: - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) - [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md) -## Opt-in to Microsoft Update on mobile computers without a WSUS connection +## Opt in to Microsoft Update on mobile computers without a WSUS connection You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update. -You can opt-in to Microsoft Update on the mobile device in one of the following ways: +You can opt in to Microsoft Update on the mobile device in one of the following ways: 1. Change the setting with Group Policy 2. Use a VBScript to create a script, then run it on each computer in your network. -3. Manually opt-in every computer on your network through the **Settings** menu. +3. Manually opt in every computer on your network through the **Settings** menu. -### Use Group Policy to opt-in to Microsoft Update +### Use Group Policy to opt in to Microsoft Update -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration**. From fc6aa4c6fbc44a975595272f6b3b6f2d8a54b7a8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 13:06:10 -0800 Subject: [PATCH 20/76] Update manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md --- ...e-devices-vms-microsoft-defender-antivirus.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index d4f2648721..0aebecaa24 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -44,21 +44,21 @@ This means that protection updates can be delivered to devices (via Microsoft Up You can opt in to Microsoft Update on the mobile device in one of the following ways: -1. Change the setting with Group Policy -2. Use a VBScript to create a script, then run it on each computer in your network. -3. Manually opt in every computer on your network through the **Settings** menu. +- Change the setting with Group Policy. +- Use a VBScript to create a script, then run it on each computer in your network. +- Manually opt in every computer on your network through the **Settings** menu. ### Use Group Policy to opt in to Microsoft Update -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. -6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. +5. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. ### Use a VBScript to opt-in to Microsoft Update From 46347c664d31c280299be5b2b46bcb6fe27722b8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 13:07:11 -0800 Subject: [PATCH 21/76] Update manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md --- ...evices-vms-microsoft-defender-antivirus.md | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index 0aebecaa24..e9c2d12071 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -63,14 +63,17 @@ You can opt in to Microsoft Update on the mobile device in one of the following ### Use a VBScript to opt-in to Microsoft Update -1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. -2. Run the VBScript you created on each computer in your network. +1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. + +2. Run the VBScript you created on each computer in your network. ### Manually opt-in to Microsoft Update -1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. -2. Click **Advanced** options. -3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. +1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. + +2. Click **Advanced** options. + +3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. ## Prevent Security intelligence updates when running on battery power @@ -80,15 +83,14 @@ You can configure Microsoft Defender Antivirus to only download protection updat 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting: - - 1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. - 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting: + - Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. + - Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. ## Related articles From ba0e74fc8109ec3be756de9b64ce3e118ee8f255 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 13:09:57 -0800 Subject: [PATCH 22/76] Update manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md --- ...-devices-vms-microsoft-defender-antivirus.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index e9c2d12071..816025ec14 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -54,24 +54,24 @@ You can opt in to Microsoft Update on the mobile device in one of the following 2. In the **Group Policy Management Editor** go to **Computer configuration**. -3. Click **Policies** then **Administrative templates**. +3. Select **Policies** then **Administrative templates**. 4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. -5. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. +5. Set **Allow security intelligence updates from Microsoft Update** to **Enabled**, and then select **OK**. -### Use a VBScript to opt-in to Microsoft Update +### Use a VBScript to opt in to Microsoft Update 1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. 2. Run the VBScript you created on each computer in your network. -### Manually opt-in to Microsoft Update +### Manually opt in to Microsoft Update -1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. +1. Open **Windows Update** in **Update & security** settings on the computer you want to opt in. -2. Click **Advanced** options. +2. Select **Advanced** options. 3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. @@ -87,10 +87,9 @@ You can configure Microsoft Defender Antivirus to only download protection updat 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting: +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**. - - Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. - - Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. +This action prevents protection updates from downloading when the PC is on battery power. ## Related articles From 8780dfa7a688808075a706f2327abc00fb41acdd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 13:11:02 -0800 Subject: [PATCH 23/76] acrolinx fixes --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 5 +++++ ...pdates-mobile-devices-vms-microsoft-defender-antivirus.md | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 943036f62c..4f60e5d308 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -87,6 +87,7 @@ All our updates contain  Support phase: **Security and Critical Updates** ### What's new + - Improved SmartScreen status support logging - Apply CPU throttling policy to manually initiated scans @@ -103,12 +104,14 @@ No known issues  Support phase: **Security and Critical Updates** ### What's new + - New descriptions for special threat categories - Improved emulation capabilities - Improved host address allow/block capabilities - New option in Defender CSP to Ignore merging of local user exclusions ### Known Issues + No known issues
@@ -121,6 +124,7 @@ No known issues  Support phase: **Security and Critical Updates** ### What's new + - Admin permissions are required to restore files in quarantine - XML formatted events are now supported - CSP support for ignoring exclusion merges @@ -132,6 +136,7 @@ No known issues - Improved Office VBA module scanning ### Known Issues + No known issues
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index 816025ec14..e2fb5173d8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -81,11 +81,11 @@ You can configure Microsoft Defender Antivirus to only download protection updat ### Use Group Policy to prevent security intelligence updates on battery power -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), choose the Group Policy Object you want to configure, and open it for editing. 2. In the **Group Policy Management Editor** go to **Computer configuration**. -3. Click **Policies** then **Administrative templates**. +3. Select **Policies** then **Administrative templates**. 4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**. From fe649b4c7c31cb96b839b1239afa9629c24a3c37 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 6 Jan 2021 13:48:15 -0800 Subject: [PATCH 24/76] Removed "en-us" from a Microsoft URL (and verified that it works) --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 4f60e5d308..7835dd3bfa 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -47,7 +47,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). -For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes). +For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes). Engine updates are included with security intelligence updates and are released on a monthly cadence. From 42cd42a769e77b375de26bac0b2d699e431202ea Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 6 Jan 2021 13:52:15 -0800 Subject: [PATCH 25/76] Acrolinx: "Powershell" --- .../manage-protection-updates-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index 9cfcd64a5d..42af3da160 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -170,7 +170,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence MD C:\Temp\TempSigs\x86 ``` -3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). +3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). 4. Click **Manual Download**. From e8871be545839500d584cf5fee416289e1db85ae Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Thu, 7 Jan 2021 00:53:32 +0200 Subject: [PATCH 26/76] Update gov.md Updating GCC-H items. --- .../microsoft-defender-atp/gov.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 71d6de5b4d..115eb14cc6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -49,13 +49,13 @@ Windows 10, version 1803 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes Windows 10, version 1709 | ![No](../images/svg/check-no.svg)
Note: Will not be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)
Note: Will be deprecated, please upgrade Windows 10, version 1703 and earlier | ![No](../images/svg/check-no.svg)
Note: Will not be supported | ![No](../images/svg/check-no.svg)
Note: Will not be supported Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) -Windows Server 2016 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Windows 8 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) +Windows Server 2016 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Windows 8 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development Mac OS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Linux | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) iOS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) @@ -106,24 +106,24 @@ These are the known gaps as of January 2021: Feature name | GCC | GCC High :---|:---|:--- -Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) -Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) +Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) -Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) -Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) -Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) -Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) -Email notifications | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) -Web content filtering | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) +Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Email notifications | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Web content filtering | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) -Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) -Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) +Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Microsoft Threat Experts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) From 7be16fb46bf696a82e35d4f6f6adf57f65a07190 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Thu, 7 Jan 2021 00:57:28 +0200 Subject: [PATCH 27/76] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 115eb14cc6..84f767e39e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -123,7 +123,7 @@ Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) | Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) -Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) +Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Microsoft Threat Experts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) From e45c64a19d9b466f61c5d51741343251be314cd1 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Thu, 7 Jan 2021 01:09:45 +0200 Subject: [PATCH 28/76] Update gov.md --- .../microsoft-defender-atp/gov.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 84f767e39e..3d962dd0a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -106,16 +106,16 @@ These are the known gaps as of January 2021: Feature name | GCC | GCC High :---|:---|:--- -Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development -Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Email notifications | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development +Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Web content filtering | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) From 4e3f511b6407affadd31bfdf5ee41438c05f9bad Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Thu, 7 Jan 2021 03:47:56 +0200 Subject: [PATCH 29/76] Update gov.md --- .../threat-protection/microsoft-defender-atp/gov.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 3d962dd0a1..b4e6a21755 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -56,8 +56,8 @@ Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](. Windows 8 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development -Mac OS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) -Linux | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) +Mac OS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +Linux | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development iOS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Android | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) @@ -116,7 +116,7 @@ Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Coming so Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Web content filtering | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Web content filtering | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) From 57756ccc29977a9c507ee80efac23862981764a6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 17:56:22 -0800 Subject: [PATCH 30/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- ...-baselines-microsoft-defender-antivirus.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 7835dd3bfa..1b9cc2aad0 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -64,7 +64,7 @@ You can manage the distribution of updates through one of the following methods: For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). > [!NOTE] -> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server. +> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). ## Monthly platform and engine versions @@ -143,7 +143,7 @@ No known issues ### Previous version updates: Technical upgrade support only -Previous version updates are listed below, and are provided for technical upgrade support only. +After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.

@@ -369,16 +369,16 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve |Windows 10 release |Platform version |Engine version |Support phase | |:---|:---|:---|:---| -|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) | -|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) | -|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) | -|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) | -|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) | -|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) | -|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | -|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | +|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) | +|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) | +|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) | +|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) | +|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) | +|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) | +|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) | +|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) | -Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). +For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). ## Updates for Deployment Image Servicing and Management (DISM) From 0644be036d2aa5048fa318d3975c1c15da9d0a5a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:04:16 -0800 Subject: [PATCH 31/76] Update introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md --- ...-and-windows-defender-application-control.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index f60748b37b..9483ca4022 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -1,13 +1,12 @@ --- -title: WDAC and virtualization-based code integrity (Windows 10) -description: Hardware and software system integrity-hardening capabilites that can be deployed separately or in combination with Windows Defender Application Control (WDAC). +title: Windows Defender Application Control and virtualization-based code integrity (Windows 10) +description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC). keywords: virtualization, security, malware, device guard ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 07/01/2019 ms.reviewer: manager: dansimp ms.custom: asr @@ -19,24 +18,24 @@ ms.custom: asr - Windows 10 - Windows Server 2016 -Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). +Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks by using virtualization-based protection of code integrity (more specifically, HVCI). -Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. +Configurable code integrity policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices. Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions: 1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. -3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy. -4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution. +3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy. +4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution. ## Windows Defender Application Control -When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. +When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability. -Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). +Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as an independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). We hope this change will help us better communicate options for adopting application control within an organization. ## Related articles From 0033e3f269e1d40daebd3fc293dd1a039f3c4462 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:07:50 -0800 Subject: [PATCH 32/76] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 0b6737027d..ce1b2006f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -11,7 +11,6 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 04/30/2019 ms.reviewer: manager: dansimp ms.custom: asr @@ -33,7 +32,7 @@ Network protection expands the scope of [Microsoft Defender SmartScreen](../micr Network protection is supported beginning with Windows 10, version 1709. -For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. +For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. @@ -46,7 +45,7 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection. +Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection. Windows 10 version | Microsoft Defender Antivirus -|- @@ -76,7 +75,7 @@ You can review the Windows event log to see events that are created when network 1. [Copy the XML directly](event-views.md). -2. Click **OK**. +2. Select **OK**. 3. This will create a custom view that filters to only show the following events related to network protection: @@ -88,6 +87,6 @@ You can review the Windows event log to see events that are created when network ## Related articles -- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created. +- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created. - [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. From 91c990c82656292d74841b1619ea33d2a8739057 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:10:38 -0800 Subject: [PATCH 33/76] Update customize-controlled-folders.md --- .../customize-controlled-folders.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 629775a962..8c2ab186eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -1,6 +1,6 @@ --- title: Customize controlled folder access -description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. +description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -12,7 +12,7 @@ author: denisebmsft ms.author: deniseb ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon manager: dansimp -ms.date: 12/16/2020 +ms.date: 01/06/2021 --- # Customize controlled folder access @@ -38,7 +38,7 @@ This article describes how to customize controlled folder access capabilities, a ## Protect additional folders -Controlled folder access applies to a number of system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list. +Controlled folder access applies to many system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list. Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries. @@ -72,7 +72,7 @@ You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil ### Use PowerShell to protect additional folders -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: @@ -125,7 +125,7 @@ An allowed application or service only has write access to a controlled folder a ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell From bca7802e363b4a98f84ff922bf4250e6e444a1a1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:13:59 -0800 Subject: [PATCH 34/76] Update configure-remediation-microsoft-defender-antivirus.md --- ...emediation-microsoft-defender-antivirus.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md index cc8fa8dec9..b080c70faa 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp --- @@ -39,20 +39,20 @@ To configure these settings: 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. -4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +4. Select the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings. -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled -Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days -Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) -Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed -Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable -Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled| +|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days | +|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) | +|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed | +|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable | +|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable | > [!IMPORTANT] > Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. From 94e5652bdd38b7899b06f768ef34a901700d2fdc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:16:46 -0800 Subject: [PATCH 35/76] Update common-exclusion-mistakes-microsoft-defender-antivirus.md --- ...n-mistakes-microsoft-defender-antivirus.md | 80 +++++++++---------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md index 58cd36777d..8e12b6b966 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md @@ -21,12 +21,12 @@ manager: dansimp You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. -This topic describes some common mistake that you should avoid when defining exclusions. +This article describes some common mistake that you should avoid when defining exclusions. Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions). ## Excluding certain trusted items -There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning. +Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning. **Do not add exclusions for the following folder locations:** @@ -61,44 +61,44 @@ There are certain files, file types, folders, or processes that you should not e - C:\Windows\Temp\* **Do not add exclusions for the following file extensions:** -- .7zip -- .bat -- .bin -- .cab -- .cmd -- .com -- .cpl -- .dll -- .exe -- .fla -- .gif -- .gz -- .hta -- .inf -- .java -- .jar -- .job -- .jpeg -- .jpg -- .js -- .ko -- .ko.gz -- .msi -- .ocx -- .png -- .ps1 -- .py -- .rar -- .reg -- .scr -- .sys -- .tar -- .tmp -- .url -- .vbe -- .vbs -- .wsf -- .zip +- `.7zip` +- `.bat` +- `.bin` +- `.cab` +- `.cmd` +- `.com` +- `.cpl` +- `.dll` +- `.exe` +- `.fla` +- `.gif` +- `.gz` +- `.hta` +- `.inf` +- `.java` +- `.jar` +- `.job` +- `.jpeg` +- `.jpg` +- `.js` +- `.ko` +- `.ko.gz` +- `.msi` +- `.ocx` +- `.png` +- `.ps1` +- `.py` +- `.rar` +- `.reg` +- `.scr` +- `.sys` +- `.tar` +- `.tmp` +- `.url` +- `.vbe` +- `.vbs` +- `.wsf` +- `.zip` >[!NOTE] > You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. From 95caab5d1850238686ae630d70e10d65379a7dcd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:17:50 -0800 Subject: [PATCH 36/76] Update common-exclusion-mistakes-microsoft-defender-antivirus.md --- .../common-exclusion-mistakes-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md index 8e12b6b966..d33ce3552f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md @@ -150,7 +150,7 @@ Do not use a single exclusion list to define exclusions for multiple server work Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables. See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists. -## Related topics +## Related articles - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) From 77e349339171392fe1520fde896011843551c35e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:22:32 -0800 Subject: [PATCH 37/76] Update exploit-protection-reference.md --- .../exploit-protection-reference.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 99f4521685..8219039c09 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 07/20/2020 +ms.date: 01/06/2021 ms.reviewer: cjacks manager: dansimp ms.custom: asr @@ -223,7 +223,7 @@ Block low integrity images will prevent the application from loading files that ### Description -Block remote images will prevent the application from loading files that are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory that are on an external device controlled by the attacker. +Blocking remote images helps to prevent the application from loading files that are hosted on a remote device, such as a UNC share. Blocking remote images helps protect against loading binaries into memory that are on an external device controlled by the attacker. This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error. @@ -257,7 +257,7 @@ The most common use of fonts outside of the system fonts directory is with [web ### Description -Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process. +Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. Code integrity guard includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process. This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process. @@ -275,9 +275,9 @@ This mitigation specifically blocks any binary that is not signed by Microsoft. ### Description -Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). +Control flow guard (CFG) mitigates the risk of attackers using memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). -This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation. +This mitigation is provided by injecting another check at compile time. Before each indirect function call, another instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation. The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation. @@ -296,7 +296,7 @@ Since applications must be compiled to support CFG, they implicitly declare thei ### Description -Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. +Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. DEP helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash. @@ -304,7 +304,7 @@ If you attempt to set the instruction pointer to a memory address not marked as All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed. -All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. +All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, might not be compatible with DEP. Such applications typically generate code dynamically (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. ### Configuration options From c299ce4d7580d99d6c07722d5ea5cc85c849816a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:23:39 -0800 Subject: [PATCH 38/76] Update exploit-protection-reference.md --- .../exploit-protection-reference.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 8219039c09..fbbb9f9107 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -324,7 +324,7 @@ This includes: ### Compatibility considerations -Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application. +Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third-party Legacy IMEs that will not work with the protected application. ### Configuration options @@ -341,7 +341,7 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com ### Compatibility considerations -This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation. +This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will use process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation. ### Configuration options @@ -379,18 +379,18 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo ### Configuration options -**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules: +**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for other commonly attacked modules: -- mshtml.dll -- flash*.ocx -- jscript*.ocx -- vbscript.dll -- vgx.dll -- mozjs.dll -- xul.dll -- acrord32.dll -- acrofx32.dll -- acroform.api +- `mshtml.dll` +- `flash*.ocx` +- `jscript*.ocx` +- `vbscript.dll` +- `vgx.dll` +- `mozjs.dll` +- `xul.dll` +- `acrord32.dll` +- `acrofx32.dll` +- `acroform.api` Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory. From 15da08b047ded1955d26389dd8f62cb9d275c03c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:24:51 -0800 Subject: [PATCH 39/76] Update exploit-protection-reference.md --- .../exploit-protection-reference.md | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index fbbb9f9107..68401d1360 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -427,31 +427,31 @@ The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs. This mitigation protects the following Windows APIs: -- GetProcAddress -- GetProcAddressForCaller -- LoadLibraryA -- LoadLibraryExA -- LoadLibraryW -- LoadLibraryExW -- LdrGetProcedureAddress -- LdrGetProcedureAddressEx -- LdrGetProcedureAddressForCaller -- LdrLoadDll -- VirtualProtect -- VirtualProtectEx -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- NtProtectVirtualMemory -- CreateProcessA -- CreateProcessW -- WinExec -- CreateProcessAsUserA -- CreateProcessAsUserW -- GetModuleHandleA -- GetModuleHandleW -- RtlDecodePointer -- DecodePointer +- `GetProcAddress` +- `GetProcAddressForCaller` +- `LoadLibraryA` +- `LoadLibraryExA` +- `LoadLibraryW` +- `LoadLibraryExW` +- `LdrGetProcedureAddress` +- `LdrGetProcedureAddressEx` +- `LdrGetProcedureAddressForCaller` +- `LdrLoadDll` +- `VirtualProtect` +- `VirtualProtectEx` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `NtProtectVirtualMemory` +- `CreateProcessA` +- `CreateProcessW` +- `WinExec` +- `CreateProcessAsUserA` +- `CreateProcessAsUserW` +- `GetModuleHandleA` +- `GetModuleHandleW` +- `RtlDecodePointer` +- `DecodePointer` ### Compatibility considerations From 13afd5971a6fa8f0a729e7b19a9e171226cda9e8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:27:05 -0800 Subject: [PATCH 40/76] Update exploit-protection-reference.md --- .../exploit-protection-reference.md | 136 +++++++++--------- 1 file changed, 68 insertions(+), 68 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 68401d1360..57e45c13c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -488,40 +488,40 @@ Simulate execution (SimExec) is a mitigation for 32-bit applications only. This The APIs intercepted by this mitigation are: -- LoadLibraryA -- LoadLibraryW -- LoadLibraryExA -- LoadLibraryExW -- LdrLoadDll -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- VirtualProtect -- VirtualProtectEx -- NtProtectVirtualMemory -- HeapCreate -- RtlCreateHeap -- CreateProcessA -- CreateProcessW -- CreateProcessInternalA -- CreateProcessInternalW -- NtCreateUserProcess -- NtCreateProcess -- NtCreateProcessEx -- CreateRemoteThread -- CreateRemoteThreadEx -- NtCreateThreadEx -- WriteProcessMemory -- NtWriteVirtualMemory -- WinExec -- CreateFileMappingA -- CreateFileMappingW -- CreateFileMappingNumaW -- NtCreateSection -- MapViewOfFile -- MapViewOfFileEx -- MapViewOfFileFromApp -- LdrGetProcedureAddressForCaller +- `LoadLibraryA` +- `LoadLibraryW` +- `LoadLibraryExA` +- `LoadLibraryExW` +- `LdrLoadDll` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `VirtualProtect` +- `VirtualProtectEx` +- `NtProtectVirtualMemory` +- `HeapCreate` +- `RtlCreateHeap` +- `CreateProcessA` +- `CreateProcessW` +- `CreateProcessInternalA` +- `CreateProcessInternalW` +- `NtCreateUserProcess` +- `NtCreateProcess` +- `NtCreateProcessEx` +- `CreateRemoteThread` +- `CreateRemoteThreadEx` +- `NtCreateThreadEx` +- `WriteProcessMemory` +- `NtWriteVirtualMemory` +- `WinExec` +- `CreateFileMappingA` +- `CreateFileMappingW` +- `CreateFileMappingNumaW` +- `NtCreateSection` +- `MapViewOfFile` +- `MapViewOfFileEx` +- `MapViewOfFileFromApp` +- `LdrGetProcedureAddressForCaller` If a ROP gadget is detected, the process is terminated. @@ -543,40 +543,40 @@ Validate API invocation (CallerCheck) is a mitigation for return-oriented progra The APIs intercepted by this mitigation are: -- LoadLibraryA -- LoadLibraryW -- LoadLibraryExA -- LoadLibraryExW -- LdrLoadDll -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- VirtualProtect -- VirtualProtectEx -- NtProtectVirtualMemory -- HeapCreate -- RtlCreateHeap -- CreateProcessA -- CreateProcessW -- CreateProcessInternalA -- CreateProcessInternalW -- NtCreateUserProcess -- NtCreateProcess -- NtCreateProcessEx -- CreateRemoteThread -- CreateRemoteThreadEx -- NtCreateThreadEx -- WriteProcessMemory -- NtWriteVirtualMemory -- WinExec -- CreateFileMappingA -- CreateFileMappingW -- CreateFileMappingNumaW -- NtCreateSection -- MapViewOfFile -- MapViewOfFileEx -- MapViewOfFileFromApp -- LdrGetProcedureAddressForCaller +- `LoadLibraryA` +- `LoadLibraryW` +- `LoadLibraryExA` +- `LoadLibraryExW` +- `LdrLoadDll` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `VirtualProtect` +- `VirtualProtectEx` +- `NtProtectVirtualMemory` +- `HeapCreate` +- `RtlCreateHeap` +- `CreateProcessA` +- `CreateProcessW` +- `CreateProcessInternalA` +- `CreateProcessInternalW` +- `NtCreateUserProcess` +- `NtCreateProcess` +- `NtCreateProcessEx` +- `CreateRemoteThread` +- `CreateRemoteThreadEx` +- `NtCreateThreadEx` +- `WriteProcessMemory` +- `NtWriteVirtualMemory` +- `WinExec` +- `CreateFileMappingA` +- `CreateFileMappingW` +- `CreateFileMappingNumaW` +- `NtCreateSection` +- `MapViewOfFile` +- `MapViewOfFileEx` +- `MapViewOfFileFromApp` +- `LdrGetProcedureAddressForCaller` If a ROP gadget is detected, the process is terminated. From 18627d1a1ee38d1838c808471c2f1f11d62ebf2c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:29:47 -0800 Subject: [PATCH 41/76] Update exploit-protection-reference.md --- .../exploit-protection-reference.md | 68 +++++++++---------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 57e45c13c2..e7ee3c6454 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -676,40 +676,40 @@ This mitigation intercepts a number of Windows APIs, and inspects the value of t The APIs intercepted by this mitigation are: -- LoadLibraryA -- LoadLibraryW -- LoadLibraryExA -- LoadLibraryExW -- LdrLoadDll -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- VirtualProtect -- VirtualProtectEx -- NtProtectVirtualMemory -- HeapCreate -- RtlCreateHeap -- CreateProcessA -- CreateProcessW -- CreateProcessInternalA -- CreateProcessInternalW -- NtCreateUserProcess -- NtCreateProcess -- NtCreateProcessEx -- CreateRemoteThread -- CreateRemoteThreadEx -- NtCreateThreadEx -- WriteProcessMemory -- NtWriteVirtualMemory -- WinExec -- CreateFileMappingA -- CreateFileMappingW -- CreateFileMappingNumaW -- NtCreateSection -- MapViewOfFile -- MapViewOfFileEx -- MapViewOfFileFromApp -- LdrGetProcedureAddressForCaller +- `LoadLibraryA` +- `LoadLibraryW` +- `LoadLibraryExA` +- `LoadLibraryExW` +- `LdrLoadDll` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `VirtualProtect` +- `VirtualProtectEx` +- `NtProtectVirtualMemory` +- `HeapCreate` +- `RtlCreateHeap` +- `CreateProcessA` +- `CreateProcessW` +- `CreateProcessInternalA` +- `CreateProcessInternalW` +- `NtCreateUserProcess` +- `NtCreateProcess` +- `NtCreateProcessEx` +- `CreateRemoteThread` +- `CreateRemoteThreadEx` +- `NtCreateThreadEx` +- `WriteProcessMemory` +- `NtWriteVirtualMemory` +- `WinExec` +- `CreateFileMappingA` +- `CreateFileMappingW` +- `CreateFileMappingNumaW` +- `NtCreateSection` +- `MapViewOfFile` +- `MapViewOfFileEx` +- `MapViewOfFileFromApp` +- `LdrGetProcedureAddressForCaller` ### Compatibility considerations From c255d102968b539afcb363ef7429d8e287f50fec Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:32:55 -0800 Subject: [PATCH 42/76] Update exploit-protection-reference.md --- .../exploit-protection-reference.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index e7ee3c6454..f1867fadcb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -400,7 +400,7 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t ### Description -Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose. +Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker using techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose. Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019&preserve-view=true) linker option, and this mitigation has the same effect. @@ -471,7 +471,7 @@ The size of the 32-bit address space places practical constraints on the entropy ### Compatibility considerations -Most applications that are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled). +Most applications that are compatible with Mandatory ASLR (rebasing) are also compatible with the other entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled). ### Configuration options @@ -594,7 +594,7 @@ This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Description -Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. +Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can use a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that: @@ -619,7 +619,7 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic ### Description -*Validate handle usage* is a mitigation that helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). +*Validate handle usage* is a mitigation that helps protect against an attacker using an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). This mitigation is automatically applied to Windows Store applications. @@ -639,7 +639,7 @@ Applications that were not accurately tracking handle references, and which were The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include: - Preventing a HEAP handle from being freed -- Performing additional validation on extended block headers for heap allocations +- Performing another validation on extended block headers for heap allocations - Verifying that heap allocations are not already flagged as in-use - Adding guard pages to large allocations, heap segments, and subsegments above a minimum size @@ -672,7 +672,7 @@ Compatibility issues are uncommon. Applications that depend on replacing Windows The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack that controls the flow of execution. -This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. +This mitigation intercepts many Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. The APIs intercepted by this mitigation are: @@ -713,7 +713,7 @@ The APIs intercepted by this mitigation are: ### Compatibility considerations -Applications that are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. +Applications that are using fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation. This mitigation is incompatible with the Arbitrary Code Guard mitigation. From 37799450e22422f557a80fc57a3cb55e1fe80a9c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:38:11 -0800 Subject: [PATCH 43/76] Update evaluate-exploit-protection.md --- .../evaluate-exploit-protection.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md index a6dcacc047..3885e8407c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 08/28/2020 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp --- @@ -38,20 +38,20 @@ You can set mitigation in audit mode for specific programs either by using the W ### Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply protection to: - 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. + 1. If the app you want to configure is already listed, select it and then select **Edit** + 2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app. - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +5. Repeat this for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ### PowerShell From f602e4fb0735f676c481496759b03fe0f76a867a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:39:35 -0800 Subject: [PATCH 44/76] Update evaluate-exploit-protection.md --- .../microsoft-defender-atp/evaluate-exploit-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md index 3885e8407c..a7d1eb5399 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md @@ -40,18 +40,18 @@ You can set mitigation in audit mode for specific programs either by using the W 1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply protection to: 1. If the app you want to configure is already listed, select it and then select **Edit** 2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app. - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat this for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. +5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ### PowerShell From 195de92fda8a67c2a9ec2992ca1e7bed4fb7d10b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 6 Jan 2021 18:41:59 -0800 Subject: [PATCH 45/76] Update deploy-microsoft-defender-antivirus.md --- .../deploy-microsoft-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md index 97eeac6ba1..56d70bda19 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp --- @@ -29,11 +29,11 @@ Depending on the management tool you are using, you may need to specifically ena See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). -Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. +Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. -The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). +The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). -## Related topics +## Related articles - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) From d36ef29c53ac6d9a49967862ed1937ea10d93541 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Thu, 7 Jan 2021 18:02:05 +0200 Subject: [PATCH 46/76] Update gov.md --- .../microsoft-defender-atp/gov.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index b4e6a21755..397955688f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -45,17 +45,17 @@ Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/44 Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) -Windows 10, version 1803 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg) With [KB4499183](https://support.microsoft.com/help/4499183) -Windows 10, version 1709 | ![No](../images/svg/check-no.svg)
Note: Will not be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)
Note: Will be deprecated, please upgrade +Windows 10, version 1803 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) With [KB4499183](https://support.microsoft.com/help/4499183) +Windows 10, version 1709 | ![No](../images/svg/check-no.svg)
Note: Will not be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)
Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade Windows 10, version 1703 and earlier | ![No](../images/svg/check-no.svg)
Note: Will not be supported | ![No](../images/svg/check-no.svg)
Note: Will not be supported Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) -Windows Server 2016 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development -Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development -Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development -Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development -Windows 8 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development -Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development -Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Windows Server 2016 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Windows 8 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Mac OS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development Linux | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development iOS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) @@ -69,9 +69,9 @@ The following OS versions are supported when using [Azure Defender for Servers]( OS version | GCC | GCC High :---|:---|:--- -Windows Server 2016 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg) -Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg) -Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg) +Windows Server 2016 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) +Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) +Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg)
@@ -108,22 +108,22 @@ Feature name | GCC | GCC High :---|:---|:--- Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) -Email notifications | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Email notifications | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Web content filtering | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development -Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg) In development +Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Microsoft Threat Experts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) From 41abac616fa79f7872c48a628aadd81692ed292c Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Thu, 7 Jan 2021 18:09:49 +0200 Subject: [PATCH 47/76] Update gov.md --- .../microsoft-defender-atp/gov.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 397955688f..99fced566c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -58,8 +58,8 @@ Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No] Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Mac OS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development Linux | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development -iOS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) -Android | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) +iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog > [!NOTE] > A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment. @@ -107,7 +107,7 @@ These are the known gaps as of January 2021: Feature name | GCC | GCC High :---|:---|:--- Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) +Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Email notifications | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development @@ -118,11 +118,11 @@ Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No]( Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Web content filtering | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development -Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) -Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) -Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) -Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) -Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) +Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development From e93e2506ceb785ce1b599693af512ae0953c98f7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 08:34:56 -0800 Subject: [PATCH 48/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index f519113f0c..a5a0fd9fb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium ms.custom: - next-gen - edr -ms.date: 12/14/2020 +ms.date: 01/07/2021 ms.collection: - m365-security-compliance - m365initiative-defender-endpoint @@ -71,7 +71,7 @@ The following image shows an instance of unwanted software that was detected and |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | |Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.

See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. You can use Microsoft Defender Antivirus alongside another antivirus solution.

In addition, make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | |Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | |Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | From cc2e9c09d23fbefc08e6dc675efa95258e30ca08 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Thu, 7 Jan 2021 18:49:14 +0200 Subject: [PATCH 49/76] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 99fced566c..42f48c7a27 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -56,10 +56,10 @@ Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No](. Windows 8 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development -Mac OS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development Linux | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development -iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Mac OS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog > [!NOTE] > A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment. From 7ed424f85a07cb639ef44d74510e0b78fc19e086 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 09:22:34 -0800 Subject: [PATCH 50/76] Update edr-in-block-mode.md --- .../edr-in-block-mode.md | 31 ++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index a5a0fd9fb0..a2071821fe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -71,7 +71,7 @@ The following image shows an instance of unwanted software that was detected and |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | |Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. You can use Microsoft Defender Antivirus alongside another antivirus solution.

In addition, make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (If you are using a non-Microsoft antivirus solution, you can still use Microsoft Defender Antivirus. See [How do I confirm Microsoft Defender Antivirus is in active or passive mode?](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode).)

In addition, make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | |Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | |Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | @@ -97,6 +97,35 @@ Because Microsoft Defender Antivirus detects and remediates malicious items, it' Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models. +### How do I set Microsoft Defender Antivirus to passive mode? + +See [Enable Microsoft Defender Antivirus and confirm it's in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode). + +### How do I confirm Microsoft Defender Antivirus is in active or passive mode? + +To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows. + +#### Use PowerShell + +1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results. + +2. Type `Get-MpComputerStatus`. + +3. In the list of results, look for one of the following: + - `AMRunningMode: Normal` + - `AMRunningMode: Passive Mode` + - `AMRunningMode: SxS Passive Mode` + +To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps). + +#### Use Command Prompt + +1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results. + +2. Type `sc query windefend`. + +3. In the list of results, in the `STATE` row, confirm that the service is running. + ## See also - [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617) From 2409e91582f8f7b45a60d6f469e2cff43b5e6e4d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 09:24:52 -0800 Subject: [PATCH 51/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index a2071821fe..023c3aad47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -71,7 +71,7 @@ The following image shows an instance of unwanted software that was detected and |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | |Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (If you are using a non-Microsoft antivirus solution, you can still use Microsoft Defender Antivirus. See [How do I confirm Microsoft Defender Antivirus is in active or passive mode?](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode).)

In addition, make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) See [How do I confirm Microsoft Defender Antivirus is in active or passive mode?](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode).)

In addition, make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | |Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | |Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | From a3d29f03306322f9a4f4012e1d72a3d0840cb3b2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 09:26:48 -0800 Subject: [PATCH 52/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 023c3aad47..a85f4dfe14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -83,7 +83,7 @@ The following image shows an instance of unwanted software that was detected and ### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices? -We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections. +We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides an additional layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections. ### Will EDR in block mode have any impact on a user's antivirus protection? From ab4b15a77dead9e2ac42c54cab88e265a914762e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 7 Jan 2021 09:32:52 -0800 Subject: [PATCH 53/76] Update use.md --- .../security/threat-protection/microsoft-defender-atp/use.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 3b37769671..94a305a5eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -36,6 +36,11 @@ Use the **Threat & Vulnerability Management** dashboard to expand your visibilit Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown. +## Microsoft Defender for Endpoint interactive guide +In this interactive guide, you'll learn how to investigate threads to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats. + +[!VIDEO https://aka.ms/MSDE-IG] + ### In this section Topic | Description From b386e6d9848b0d91e02bcc5cc81514fb84fb9e4a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 09:33:19 -0800 Subject: [PATCH 54/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index a85f4dfe14..def71f7250 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -32,7 +32,7 @@ ms.collection: ## What is EDR in block mode? -When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Defender for Endpoint blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach. +[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach. EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled. @@ -83,15 +83,15 @@ The following image shows an instance of unwanted software that was detected and ### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices? -We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides an additional layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections. +We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections. ### Will EDR in block mode have any impact on a user's antivirus protection? -EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. +EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), except it also blocks and remediates malicious artifacts or behaviors that are detected. ### Why do I need to keep Microsoft Defender Antivirus up to date? -Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. +Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to use the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. ### Why do we need cloud protection on? From 898eb448d332fca090a9d76cfef7919bdc1c8d3d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 7 Jan 2021 09:34:04 -0800 Subject: [PATCH 55/76] Update use.md --- .../security/threat-protection/microsoft-defender-atp/use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 94a305a5eb..081596f1aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -37,7 +37,7 @@ Use the **Threat & Vulnerability Management** dashboard to expand your visibilit Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown. ## Microsoft Defender for Endpoint interactive guide -In this interactive guide, you'll learn how to investigate threads to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats. +In this interactive guide, you'll learn how to investigate threats to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats. [!VIDEO https://aka.ms/MSDE-IG] From ee3f82a8654f8fa713a7f012af54b21f1c575532 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 09:35:40 -0800 Subject: [PATCH 56/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index def71f7250..07e482586e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -43,7 +43,7 @@ EDR in block mode is also integrated with [threat & vulnerability management](ht ## What happens when something is detected? -When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center). +When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center). The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: @@ -111,10 +111,10 @@ To confirm whether Microsoft Defender Antivirus is running in active or passive 2. Type `Get-MpComputerStatus`. -3. In the list of results, look for one of the following: - - `AMRunningMode: Normal` - - `AMRunningMode: Passive Mode` - - `AMRunningMode: SxS Passive Mode` +3. In the list of results, in the `AMRunningMode` row, look for one of the following values: + - `Normal` + - `Passive Mode` + - `SxS Passive Mode` To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps). From d8959ac9eb6c8fa7ea36ef2f422bb5cb2411dced Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 09:43:06 -0800 Subject: [PATCH 57/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 07e482586e..9c53fcc49a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -116,7 +116,7 @@ To confirm whether Microsoft Defender Antivirus is running in active or passive - `Passive Mode` - `SxS Passive Mode` -To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps). +To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus). #### Use Command Prompt From 47fc5b95cbd10bd19059e8ed65b896e53e2b4537 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 09:48:24 -0800 Subject: [PATCH 58/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 9c53fcc49a..79a5673036 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -71,7 +71,7 @@ The following image shows an instance of unwanted software that was detected and |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | |Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) See [How do I confirm Microsoft Defender Antivirus is in active or passive mode?](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode).)

In addition, make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode).

In addition, make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | |Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | |Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | From a0a5572da3848dd5bfbfeb11aa85cfb77db8391e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 09:49:24 -0800 Subject: [PATCH 59/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 79a5673036..6344d50b9a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -71,7 +71,7 @@ The following image shows an instance of unwanted software that was detected and |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | |Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode).

In addition, make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode).

In addition, make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | |Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | |Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | From aa303399ccb7ffb9b9e7445d4f98d9070dfa30f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 09:51:01 -0800 Subject: [PATCH 60/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 6344d50b9a..b53e114acc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -76,8 +76,7 @@ The following image shows an instance of unwanted software that was detected and |Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | > [!IMPORTANT] -> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined. - +> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) are defined. EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus. ## Frequently asked questions From 29a4ef88256a2ace31d71724ddae949ca09919f9 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 7 Jan 2021 09:57:51 -0800 Subject: [PATCH 61/76] Update use.md --- .../security/threat-protection/microsoft-defender-atp/use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 081596f1aa..eeeba70ccd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -39,7 +39,7 @@ Use the **Threat analytics** dashboard to continually assess and control risk ex ## Microsoft Defender for Endpoint interactive guide In this interactive guide, you'll learn how to investigate threats to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats. -[!VIDEO https://aka.ms/MSDE-IG] +> [!VIDEO https://aka.ms/MSDE-IG] ### In this section From 47dac969b5512a26efdf3578cdee4ed0a982ed54 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 10:00:11 -0800 Subject: [PATCH 62/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index b53e114acc..5300626bd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -71,7 +71,8 @@ The following image shows an instance of unwanted software that was detected and |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | |Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode).

In addition, make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). | +|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | |Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | |Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | From 40762f3bbd912ef4cc766dd2c6130295b4f578d8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 10:06:13 -0800 Subject: [PATCH 63/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 5300626bd2..8f97a4b56f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -77,7 +77,7 @@ The following image shows an instance of unwanted software that was detected and |Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | > [!IMPORTANT] -> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) are defined. EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus. +> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus. ## Frequently asked questions From afaf7b099df4b8a2387318097aeb79d53dcade08 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Thu, 7 Jan 2021 22:13:32 +0200 Subject: [PATCH 64/76] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 42f48c7a27..a8904d84f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -126,4 +126,4 @@ Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engi Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Microsoft Threat Experts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg) +Microsoft Threat Experts | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development From c8969b6e4f8fc3b2357972e7ba054c4bbfd52792 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Thu, 7 Jan 2021 22:13:52 +0200 Subject: [PATCH 65/76] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index a8904d84f6..9f89eda253 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -126,4 +126,4 @@ Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engi Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Microsoft Threat Experts | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +Microsoft Threat Experts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog From 7953f7477d523a50d9cf944001e95b7dfe93c407 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 14:41:29 -0800 Subject: [PATCH 66/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 8f97a4b56f..640feefc2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -91,7 +91,7 @@ EDR in block mode does not affect third-party antivirus protection running on us ### Why do I need to keep Microsoft Defender Antivirus up to date? -Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to use the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. +Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date. ### Why do we need cloud protection on? @@ -111,7 +111,7 @@ To confirm whether Microsoft Defender Antivirus is running in active or passive 2. Type `Get-MpComputerStatus`. -3. In the list of results, in the `AMRunningMode` row, look for one of the following values: +3. In the list of results, in the **AMRunningMode** row, look for one of the following values: - `Normal` - `Passive Mode` - `SxS Passive Mode` @@ -124,7 +124,7 @@ To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/ 2. Type `sc query windefend`. -3. In the list of results, in the `STATE` row, confirm that the service is running. +3. In the list of results, in the **STATE** row, confirm that the service is running. ## See also From 6dd2bf3e0ed3102e1c2750d31c5688b85354f2db Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 14:47:56 -0800 Subject: [PATCH 67/76] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...ecurity-settings-with-tamper-protection.md | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 567fc845b6..02e271f7a0 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -14,7 +14,7 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 11/19/2020 +ms.date: 01/07/2021 --- # Protect security settings with tamper protection @@ -24,8 +24,12 @@ ms.date: 11/19/2020 **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Tamper protection is available on devices running the following versions of Windows: + - Windows 10 -- Windows Server 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) +- Windows Server 2016 and 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) ## Overview @@ -74,7 +78,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And, If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection. -1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**. +1. Click **Start**, and start typing *Security*. In the search results, select **Windows Security**. 2. Select **Virus & threat protection** > **Virus & threat protection settings**. @@ -101,15 +105,15 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal- 3. Select **Devices** > **Configuration Profiles**. -4. Create a profile as follows: +4. Create a profile that includes the following settings: - - Platform: **Windows 10 and later** + - **Platform: Windows 10 and later** - - Profile type: **Endpoint protection** + - **Profile type: Endpoint protection** - - Category: **Microsoft Defender Security Center** + - **Category: Microsoft Defender Security Center** - - Tamper Protection: **Enabled** + - **Tamper Protection: Enabled** ![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png) @@ -132,7 +136,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release > [!IMPORTANT] > The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. -If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. +If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. 1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). @@ -209,7 +213,7 @@ Your regular group policy doesn’t apply to tamper protection, and changes to M ### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only? -Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups. +Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups. ### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? From b4ee3e3c0eb2f87a273b57c0b3c688ff389997b9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 14:49:33 -0800 Subject: [PATCH 68/76] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...event-changes-to-security-settings-with-tamper-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 02e271f7a0..ad05cd6b37 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -94,7 +94,7 @@ If you are part of your organization's security team, and your subscription incl You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. -1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune: +1. Make sure your organization meets all of the following requirements to use Intune to manage tamper protection: - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.) - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).) From 5d6b341c0bb2e780ab14f67652d6ba00b0f9ca64 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 14:51:48 -0800 Subject: [PATCH 69/76] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 640feefc2f..0c01e2faf7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -73,8 +73,8 @@ The following image shows an instance of unwanted software that was detected and |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | |Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). | |Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | -|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | -|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | +|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | > [!IMPORTANT] > To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus. From 3dba1bbb77367ad88111e6c6043b8afcc49adaa9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 14:58:56 -0800 Subject: [PATCH 70/76] fixing applies to --- ...igure-block-at-first-sight-microsoft-defender-antivirus.md | 2 +- ...cloud-block-timeout-period-microsoft-defender-antivirus.md | 2 +- ...figure-network-connections-microsoft-defender-antivirus.md | 2 +- ...onfigure-server-exclusions-microsoft-defender-antivirus.md | 4 ++++ 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 43aa53b445..c3ec759d81 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -22,7 +22,7 @@ ms.date: 10/22/2020 **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md index 4be673460a..2555377694 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 1485e83d0a..e4896f9709 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index 1fa6c1665b..7c834bd8e4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -19,6 +19,10 @@ ms.custom: nextgen [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). From d6bf4b4138ecceaf7681002939deb5b2877ea4d0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 15:02:00 -0800 Subject: [PATCH 71/76] fixing applies to --- .../enable-cloud-protection-microsoft-defender-antivirus.md | 2 +- .../office-365-microsoft-defender-antivirus.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index 2dfddb6de2..69956ae919 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -21,7 +21,7 @@ ms.custom: nextgen **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!NOTE] > The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md index eb9a31fb16..3ca4e0239b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md @@ -24,9 +24,9 @@ manager: dansimp **Applies to:** - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Microsoft Defender Antivirus -- Office 365 +- Microsoft 365 You might already know that: From 25d41dd409ac343ca06c27d94e8a888a95691867 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 15:02:37 -0800 Subject: [PATCH 72/76] Update specify-cloud-protection-level-microsoft-defender-antivirus.md --- ...ecify-cloud-protection-level-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md index 433c59bb6f..79cb4f70cc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ ms.custom: nextgen **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy. From 92028eaf0c6845828c9a60a013570fde6b1ba9b6 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 7 Jan 2021 15:02:45 -0800 Subject: [PATCH 73/76] Acrolinx: "Mac OS" --- .../security/threat-protection/microsoft-defender-atp/gov.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 9f89eda253..2942c525e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -57,7 +57,7 @@ Windows 8 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/ Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development Linux | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development -Mac OS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +macOS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog From ea93ea5f97bada546a57ad649b80bfa2b1c7347e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 15:03:07 -0800 Subject: [PATCH 74/76] Update utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md --- ...e-microsoft-cloud-protection-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md index da103c7192..b0a598436f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md @@ -21,7 +21,7 @@ ms.custom: nextgen **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. From 1d2dcd86fa81c9e180615e1233a5ddb222ebda77 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 15:28:08 -0800 Subject: [PATCH 75/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- ...tes-baselines-microsoft-defender-antivirus.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 1b9cc2aad0..cd30c7318d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: pahuijbr manager: dansimp -ms.date: 01/06/2021 +ms.date: 01/07/2021 --- # Manage Microsoft Defender Antivirus updates and apply baselines @@ -387,6 +387,20 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+1.1.2101.02 + + Package version: **1.1.2101.02** + Platform version: **4.18.2011.6** + Engine version: **1.17700.4** + Signature version: **1.329.1796.0** + +### Fixes +- None + +### Additional information +- None +
+
1.1.2012.01  Package version: **1.1.2012.01** From 382f6671f37e1b372ddf193b163026e6cfe81d52 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 7 Jan 2021 15:29:02 -0800 Subject: [PATCH 76/76] Update manage-updates-baselines-microsoft-defender-antivirus.md --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index cd30c7318d..b0d94c4785 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -355,7 +355,6 @@ When this update is installed, the device needs the jump package 4.10.2001.10 to ## Microsoft Defender Antivirus platform support Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version: - - **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. - **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*